Bug 885933

Summary:	dns lookup gives permission denied error
Product:	OpenShift Online	Reporter:	Aditya Patawari <adimania>
Component:	Containers	Assignee:	Rob Millner <rmillner>
Status:	CLOSED UPSTREAM	QA Contact:	libra bugs <libra-bugs>
Severity:	medium	Docs Contact:
Priority:	high
Version:	2.x	CC:	bhatiam, error, mfisher
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-07-30 05:26:59 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Aditya Patawari 2012-12-11 03:56:04 UTC

Description of problem:
I am getting "nslookup: isc_socket_bind: permission denied" with the default as well as external resolvers like 8.8.8.8.

How reproducible:
Always


Steps to Reproduce:
Step 1. Login via ssh.
Step 2. Fire "dig google.com" or "dig @8.8.8.8 google.com"
  
Actual results:
dig: isc_socket_bind: permission denied

Expected results:
The reply from the resolvers.

Comment 1 Nam Duong 2012-12-11 04:08:37 UTC

Also see: https://openshift.redhat.com/community/forums/openshift/dns-lookup-gives-permission-denied-error

Comment 2 Rob Millner 2012-12-11 18:19:07 UTC

This is due to an SELinux denial.  We will investigate opening this permission.

Comment 4 Rob Millner 2012-12-11 18:27:04 UTC

Normal host-name resolution works through the NSS methods (gethostbyname); just not through the DNS specific tools that directly send DNS packets.

Comment 5 Aditya Patawari 2012-12-15 05:50:06 UTC

I understand that this won't be on top priority but do we have an estimate on how much time will it take to get this feature?

Comment 6 Rob Millner 2012-12-20 02:35:42 UTC

Gear users can issue the standard gethostbyname and gethostbyaddr calls.

The thing blocking nslookup, dig and host are that they bind to a UDP port.  To be useful, they either have to bind to the external IP address or to the any address (0.0.0.0); neither of which we allow on the platform.

We're discussing how to resolve this with the SELinux team inside Red Hat and will hopefully have a solution shortly.

Comment 7 Aditya Patawari 2013-01-16 07:23:50 UTC

Rob, do we have any update on this?

Comment 8 Rob Millner 2013-01-16 22:46:12 UTC

Had a discussion with the SELinux experts about enabling this.  It will require changes to the targeted policies for RHEL 6, Fedora 17 and Fedora 18.  We're working through the change and are expecting to have an update in a few weeks.

Comment 9 Aditya Patawari 2013-04-04 11:21:09 UTC

I won't need this anymore since I have moved out of openshift. The ticket was marked as high priority and it has been months since that action. Clearly, I was wasting my time here.

Comment 10 Rob Millner 2013-07-30 05:26:59 UTC

SELinux feature request moved to Trello Card:
https://trello.com/c/BZrNDAhP/205-selinux-allows-dns-command-line-tools-to-work

Comment 11 Michael Hampton 2015-01-25 06:02:51 UTC

This remains an issue on OpenShift Online. Has there been any progress toward resolving it?

I want to query SOA records, as part of the process of validating email addresses. This appears to be the only way to do so, as other syscalls that work, such as getaddrinfo(), aren't really set up to retrieve anything but address records.