885933 – dns lookup gives permission denied error

Bug 885933 - dns lookup gives permission denied error

Summary: dns lookup gives permission denied error

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	OpenShift Online
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	2.x
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Rob Millner
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-11 03:56 UTC by Aditya Patawari
Modified:	2015-05-14 23:17 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-30 05:26:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Aditya Patawari 2012-12-11 03:56:04 UTC

Description of problem:
I am getting "nslookup: isc_socket_bind: permission denied" with the default as well as external resolvers like 8.8.8.8.

How reproducible:
Always


Steps to Reproduce:
Step 1. Login via ssh.
Step 2. Fire "dig google.com" or "dig @8.8.8.8 google.com"
  
Actual results:
dig: isc_socket_bind: permission denied

Expected results:
The reply from the resolvers.

Comment 1 Nam Duong 2012-12-11 04:08:37 UTC

Also see: https://openshift.redhat.com/community/forums/openshift/dns-lookup-gives-permission-denied-error

Comment 2 Rob Millner 2012-12-11 18:19:07 UTC

This is due to an SELinux denial.  We will investigate opening this permission.

Comment 4 Rob Millner 2012-12-11 18:27:04 UTC

Normal host-name resolution works through the NSS methods (gethostbyname); just not through the DNS specific tools that directly send DNS packets.

Comment 5 Aditya Patawari 2012-12-15 05:50:06 UTC

I understand that this won't be on top priority but do we have an estimate on how much time will it take to get this feature?

Comment 6 Rob Millner 2012-12-20 02:35:42 UTC

Gear users can issue the standard gethostbyname and gethostbyaddr calls.

The thing blocking nslookup, dig and host are that they bind to a UDP port.  To be useful, they either have to bind to the external IP address or to the any address (0.0.0.0); neither of which we allow on the platform.

We're discussing how to resolve this with the SELinux team inside Red Hat and will hopefully have a solution shortly.

Comment 7 Aditya Patawari 2013-01-16 07:23:50 UTC

Rob, do we have any update on this?

Comment 8 Rob Millner 2013-01-16 22:46:12 UTC

Had a discussion with the SELinux experts about enabling this.  It will require changes to the targeted policies for RHEL 6, Fedora 17 and Fedora 18.  We're working through the change and are expecting to have an update in a few weeks.

Comment 9 Aditya Patawari 2013-04-04 11:21:09 UTC

I won't need this anymore since I have moved out of openshift. The ticket was marked as high priority and it has been months since that action. Clearly, I was wasting my time here.

Comment 10 Rob Millner 2013-07-30 05:26:59 UTC

SELinux feature request moved to Trello Card:
https://trello.com/c/BZrNDAhP/205-selinux-allows-dns-command-line-tools-to-work

Comment 11 Michael Hampton 2015-01-25 06:02:51 UTC

This remains an issue on OpenShift Online. Has there been any progress toward resolving it?

I want to query SOA records, as part of the process of validating email addresses. This appears to be the only way to do so, as other syscalls that work, such as getaddrinfo(), aren't really set up to retrieve anything but address records.

Note You need to log in before you can comment on or make changes to this bug.