Description of problem:
I am getting "nslookup: isc_socket_bind: permission denied" with the default as well as external resolvers like 126.96.36.199.
Steps to Reproduce:
Step 1. Login via ssh.
Step 2. Fire "dig google.com" or "dig @188.8.131.52 google.com"
dig: isc_socket_bind: permission denied
The reply from the resolvers.
Also see: https://openshift.redhat.com/community/forums/openshift/dns-lookup-gives-permission-denied-error
This is due to an SELinux denial. We will investigate opening this permission.
Normal host-name resolution works through the NSS methods (gethostbyname); just not through the DNS specific tools that directly send DNS packets.
I understand that this won't be on top priority but do we have an estimate on how much time will it take to get this feature?
Gear users can issue the standard gethostbyname and gethostbyaddr calls.
The thing blocking nslookup, dig and host are that they bind to a UDP port. To be useful, they either have to bind to the external IP address or to the any address (0.0.0.0); neither of which we allow on the platform.
We're discussing how to resolve this with the SELinux team inside Red Hat and will hopefully have a solution shortly.
Rob, do we have any update on this?
Had a discussion with the SELinux experts about enabling this. It will require changes to the targeted policies for RHEL 6, Fedora 17 and Fedora 18. We're working through the change and are expecting to have an update in a few weeks.
I won't need this anymore since I have moved out of openshift. The ticket was marked as high priority and it has been months since that action. Clearly, I was wasting my time here.
SELinux feature request moved to Trello Card:
This remains an issue on OpenShift Online. Has there been any progress toward resolving it?
I want to query SOA records, as part of the process of validating email addresses. This appears to be the only way to do so, as other syscalls that work, such as getaddrinfo(), aren't really set up to retrieve anything but address records.