Bug 1025631

Summary:	can't connect to remote ports from gear - SELinux permission denied
Product:	OpenShift Online	Reporter:	William Monteiro <wmonteiro>
Component:	Containers	Assignee:	Jhon Honce <jhonce>
Status:	CLOSED UPSTREAM	QA Contact:	libra bugs <libra-bugs>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	2.x	CC:	vvitek, wmonteiro
Target Milestone:	---	Keywords:	SupportQuestion
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-12-19 15:39:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description William Monteiro 2013-11-01 06:38:36 UTC

Description of problem:
Cannot use telnet on ssh shell, neither use php's fsockopen function to contact another server

Version-Release number of selected component (if applicable):


How reproducible:
try to telnet any domain and get a permission denied error.

Actual results:
telnet ssh.inf.ufsm.br
Trying 200.18.42.12...
telnet: connect to address 200.18.42.12: Permission denied

Expected results: (HOME)
telnet ssh.inf.ufsm.br
Trying 200.18.42.12...
telnet: connect to address 200.18.42.12: Connection refused
telnet: Unable to connect to remote host

Additional info:
trying to send sms through a sms gateway, but can't connect to it.
Thanks!

Comment 1 Clayton Coleman 2013-11-01 18:54:19 UTC

Hi William, you've got a PHP application, you're ssh'd into your gear, and you're trying to open a telnet session to the remote host from within the gear?

Comment 2 William Monteiro 2013-11-03 15:43:46 UTC

(In reply to Clayton Coleman from comment #1)
> Hi William, you've got a PHP application, you're ssh'd into your gear, and
> you're trying to open a telnet session to the remote host from within the
> gear?

yes, i need to connect to another host through php in my gear, but i am not allowed.

Comment 3 William Monteiro 2013-11-06 06:32:21 UTC

UPDATE: I can NOT telnet from any of my gears. Tried again, but still getting permission denied error.

Comment 4 Vojtech Vitek 2013-11-18 17:42:07 UTC

@William, are you really connecting to the remote host that is publicly accessible?

I just tried telnet from my PHP gear and it worked correctly:
> rhc ssh <php-app>
>
> telnet www.openshift.com 80
> Trying 107.21.108.229...
> Connected to www.openshift.com.
> Escape character is '^]'.
> GET / HTTP/1.1             
> host: www.openshift.com
> 
> HTTP/1.1 301 Moved Permanently
> Content-Type: text/html; charset=iso-8859-1
> Date: Mon, 18 Nov 2013 17:38:33 GMT
> Location: https://www.openshift.com/
> Server: Apache/2.2.15 (Red Hat)
> Content-Length: 318
> Connection: keep-alive
> 
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>301 Moved Permanently</title>
> </head><body>
> <h1>Moved Permanently</h1>
> <p>The document has moved <a href="https://www.openshift.com/">here</a>.</p>
> <hr>
> <address>Apache/2.2.15 (Red Hat) Server at www.openshift.com Port 80</address>
> </body></html>

Comment 5 William Monteiro 2013-11-18 19:36:45 UTC

On port 80, i can connect. But none other port.

telnet androidumes.no-ip.org 9090
Trying 186.252.152.241...
telnet: connect to address 186.252.152.241: Permission denied

Comment 7 Jhon Honce 2013-12-19 15:39:22 UTC

Current OpenShift Online security policies are being reviewed for relaxing outbound ports.  9090 is on the current blacklist.