Ad Widget

Collapse

zabbix_proxy - cannot connect [13] permission denied

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • rsterenb
    Member
    • Apr 2015
    • 31
    #1

    zabbix_proxy - cannot connect [13] permission denied

    Hello,

    This is for reference because I couldn't find anything describing this (using Google). This is using zabbix_proxy 2.2.8.

    I kept getting this message in the zabbix_proxy logfile:

    Unable to connect to the server [<server_name>]:10051 [cannot connect to [[<server_name>]:10051]: [13] Permission denied]
    Still unable to connect...

    For a while I couldn't figure it out, because everything seemed to be configured correctly: from DNS to routing, firewall rules and zabbix hostnames. Portscanning confirmed that the zabbix server is reachable. Tcpdump proved however that no packets were being sent to the server by zabbix_proxy, whereas the portscan did.

    It turned out to be something else, not related to networking: a missing directory. When I enabled user "zabbix" for shell logins and su-ed to "zabbix", I got the message that "/var/lib/zabbix" could not be entered. The directory indeed didn't exist and once it was created with the correct permissions everything started working.
    Tags: None
    • pmills4
      Junior Member
      • Apr 2015
      • 3
      #2
      What is the correct permissions you had to set to the Zabbix folder? I'm having the same issue on the proxy. I created Zabbix folder and granted it chmod 755 and Zabbix:zabbix but it's still not reaching the server. The firewall is open on ports 10051 and 10050 in between proxy and server.

      help?

        Comment

        • rsterenb
          Member
          • Apr 2015
          • 31
          #3
          It seems not a missing directory, but SELinux

          Yes, well, the directory thing had to be something else, because yesterday I was notified that zabbix_proxy again didn't connect to zabbix_server.

          I have /var/lib/zabbix as home folder for user zabbix and the permissions are set to 750. However, this was fixed while also something else was changed.

          What was the issue, for us, is SELinux (on CentOS 6.6). With SELinux in Enforcing mode, zabbix_proxy is not allowed to connect. When set to Permissive it connects just fine, but that is not a real solution of course. Yesterday, someone changed SELinux back to Enforcing..

          Using sealert I found this:

          # sealert -a /var/log/audit/audit.log | grep zabbix_proxy
          SELinux is preventing /usr/sbin/zabbix_proxy_mysql from name_connect access on the tcp_socket .
          If you believe that zabbix_proxy_mysql should be allowed name_connect access on the tcp_socket by default.
          # grep zabbix_proxy /var/log/audit/audit.log | audit2allow -M mypol
          SELinux is preventing /usr/sbin/zabbix_proxy_mysql from name_connect access on the tcp_socket .
          If you want to allow /usr/sbin/zabbix_proxy_mysql to connect to network port 10060
          If you believe that zabbix_proxy_mysql should be allowed name_connect access on the tcp_socket by default.
          # grep zabbix_proxy /var/log/audit/audit.log | audit2allow -M mypol
          SELinux is preventing /usr/sbin/zabbix_proxy_mysql from name_connect access on the tcp_socket .
          If you believe that zabbix_proxy_mysql should be allowed name_connect access on the tcp_socket by default.
          # grep zabbix_proxy /var/log/audit/audit.log | audit2allow -M mypol

          So, two distinct issues were found having one solution.
          This fixed the SELinux issue for us:

          # grep zabbix_proxy /var/log/audit/audit.log | audit2allow -M mypol
          # semodule -i mypol.pp

            Comment

            • acropia
              Junior Member
              • Mar 2015
              • 26
              #4
              Solved: Permission denied b/o SELinux

              Today I installed a new fresh Zabbix Proxy and got exactly the same error "Permission denied". This was the first machine (CentOS Linux 7.1) where I did not disable SELinux or set SELinux to permissive mode. So I thought it had to be something with SELinux.

              My SELinux mode is enforcing. You can check your mode by executing:
              Code:
              sestatus
              Then I checked which SELinux settings there are available for Zabbix, by executing:
              Code:
              getsebool -a | grep zabbix
              Code:
              httpd_can_connect_zabbix --> off
zabbix_can_network --> off
              The setting 'zabbix_can_network' looked like the one which was causing the Permission denied error.

              So I changed this setting to 'on' by executing:
              Code:
              setsebool -P zabbix_can_network on
              After that my Zabbix Proxy was connecting to Zabbix Server, and the problem was solved!

                Comment

                • Balaraju
                  Member
                  • Jun 2016
                  • 40
                  #5
                  zabbix 3.0 client

                  The same problem i am facing . zabbix agent is not restarting .this is below log can anybody help. I have disabled selinux and enable the port 10050 at client side.
                  29085:20160730:062959.263 Starting Zabbix Agent [Test host]. Zabbix 3.0.4 (revision 61185).
                  29085:20160730:062959.263 **** Enabled features ****
                  29085:20160730:062959.263 IPv6 support: YES
                  29085:20160730:062959.263 TLS support: YES
                  29085:20160730:062959.263 **************************
                  29085:20160730:062959.263 using configuration file: /etc/zabbix/zabbix_agentd.conf
                  29085:20160730:062959.263 cannot set resource limit: [13] Permission denied
                  29085:20160730:062959.263 cannot disable core dump, exiting...

                    Comment

                    • perun.84
                      Member
                      • May 2016
                      • 73
                      #6
                      Is SELinux enabled? Could you check SELinux status?

                        Comment

                        • batchenr
                          Senior Member
                          • Sep 2016
                          • 440
                          #7
                          i had this too and it was Selinux, it was disabled but i had to run the command

                          setenforce 0

                            Comment

                            • djcarlos2001
                              Junior Member
                              • Dec 2018
                              • 1
                              #8
                              This is really helpful. On CentOS7, executing:
                              getsebool -a | grep zabbix Allowed the Zabbix proxy to reach our Zabbix server hosted on another VM. Thanks.

                                Comment

                                Previous template Next
                                Working...