Bug 239863 - xen-http-server will not allow remote management; fails to bind to any port
xen-http-server will not allow remote management; fails to bind to any port
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: xen (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Xen Maintainance List
Depends On:
  Show dependency treegraph
Reported: 2007-05-11 15:26 EDT by Paul Morgan
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-17 14:04:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Morgan 2007-05-11 15:26:40 EDT
Description of problem:
xen-http-server does not bind to port 
as specified in /etc/xen/xend-config.sxp

Version-Release number of selected component (if applicable):
rhel 5.0

How reproducible: always

Steps to Reproduce:
1. uncomment existing lines in xend-config*
  (xend-http-server yes)
  (xend-address     192.168.0.something)
  (xend-port        8000)
2. service xend restart
3. netstat -tlpn | grep 8000
Actual results:
fails to bind; produces avc denials

Expected results:
xend should run mgmt on specified port

Additional info:
The default targeted selinux policy should be modified.

A workaround can be established as follows:

The default targeted policy does not allow
xen-http-server to bind to any port...
  semanage port -l | grep xen
  ^^^^ shows the only the relocation server is allowed to bind

...additionally, the default xend-config port 8000 cannot be used:
  semanage port -l | grep 8000

...so modify policy on running system:
  semanage port -a -t xen_port_t -p tcp 8001

...now modify xend-config:
  (xend-http-server yes)
  (xend-address     192.168.0.something)
  (xend-port        8001)

...and restart:
  service xend restart
  netstat -tlpn | grep 8001

xen happiness results!
Comment 1 Daniel Berrange 2007-05-17 14:04:07 EDT
We don't support use of the xen-http-server at all in RHEL, hence it is not
allowed by the SELinux policy. XenD has *zero* authentication on its HTTP
service, so turning on 'xen-http-server' is quite seriously the same as running
a telnet server with no root password set. If you really want to let anyone own
your machine, then as you documented above,  semanage can be used. This is not
something we will allow for out of the box

Note You need to log in before you can comment on or make changes to this bug.