Bug 885933 - dns lookup gives permission denied error
Summary: dns lookup gives permission denied error
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Containers
Version: 2.x
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: ---
Assignee: Rob Millner
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-11 03:56 UTC by Aditya Patawari
Modified: 2015-05-14 23:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-30 05:26:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Aditya Patawari 2012-12-11 03:56:04 UTC
Description of problem:
I am getting "nslookup: isc_socket_bind: permission denied" with the default as well as external resolvers like 8.8.8.8.

How reproducible:
Always


Steps to Reproduce:
Step 1. Login via ssh.
Step 2. Fire "dig google.com" or "dig @8.8.8.8 google.com"
  
Actual results:
dig: isc_socket_bind: permission denied

Expected results:
The reply from the resolvers.

Comment 2 Rob Millner 2012-12-11 18:19:07 UTC
This is due to an SELinux denial.  We will investigate opening this permission.

Comment 4 Rob Millner 2012-12-11 18:27:04 UTC
Normal host-name resolution works through the NSS methods (gethostbyname); just not through the DNS specific tools that directly send DNS packets.

Comment 5 Aditya Patawari 2012-12-15 05:50:06 UTC
I understand that this won't be on top priority but do we have an estimate on how much time will it take to get this feature?

Comment 6 Rob Millner 2012-12-20 02:35:42 UTC
Gear users can issue the standard gethostbyname and gethostbyaddr calls.

The thing blocking nslookup, dig and host are that they bind to a UDP port.  To be useful, they either have to bind to the external IP address or to the any address (0.0.0.0); neither of which we allow on the platform.

We're discussing how to resolve this with the SELinux team inside Red Hat and will hopefully have a solution shortly.

Comment 7 Aditya Patawari 2013-01-16 07:23:50 UTC
Rob, do we have any update on this?

Comment 8 Rob Millner 2013-01-16 22:46:12 UTC
Had a discussion with the SELinux experts about enabling this.  It will require changes to the targeted policies for RHEL 6, Fedora 17 and Fedora 18.  We're working through the change and are expecting to have an update in a few weeks.

Comment 9 Aditya Patawari 2013-04-04 11:21:09 UTC
I won't need this anymore since I have moved out of openshift. The ticket was marked as high priority and it has been months since that action. Clearly, I was wasting my time here.

Comment 10 Rob Millner 2013-07-30 05:26:59 UTC
SELinux feature request moved to Trello Card:
https://trello.com/c/BZrNDAhP/205-selinux-allows-dns-command-line-tools-to-work

Comment 11 Michael Hampton 2015-01-25 06:02:51 UTC
This remains an issue on OpenShift Online. Has there been any progress toward resolving it?

I want to query SOA records, as part of the process of validating email addresses. This appears to be the only way to do so, as other syscalls that work, such as getaddrinfo(), aren't really set up to retrieve anything but address records.


Note You need to log in before you can comment on or make changes to this bug.