我可以在.pgpass中使用SELinux吗?[centos7,pgagent_96,PostgreSQL9.6.5]
我可以在.pgpass中使用SELinux吗?[centos7,pgagent_96,PostgreSQL9.6.5]
提问于 2017-10-19 03:51:41
.pgpass似乎不起作用。你能检查一下我的pgagent设置吗?
OS : centos 7 ( I did NOT disable selinux )
Database : postgresql 9.6.5
pgagent : pgagent_96 3.4.0-9.rhel7 ( installed package using yum )- 我以用户“弗兰克”的身份登录了centos服务器
- 在启动pgagent之前,我检查了pgagent的状态。(我没有启用pgagent_96服务。) frank@web$ systemctl状态pgagent_96.service pgagent_96.service - PgAgent for PostgreSQL 9.6加载:加载(/usr/lib/systemd/system/pgagent_96服务;禁用;供应商预置:禁用)活动:非活动(死)
- 我开始做pgagent了。一开始看上去很成功。但是几十秒后,它没有建立连接,就死了。(在启动时,CentOs询问了弗兰克的操作系统密码。) 弗兰克@web$ systemctl启动pgagent_96.service弗兰克@web$ systemctl状态pgagent_96.service pgagent_96.service - PgAgent for PostgreSQL 9.6 Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service;disabled;供应商预置:禁用)自2017-10-16 16:42:11 KST激活:活动(运行);5s前进程: 9507 ExecStart=/usr/bin/ PgAgent _96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBHOST} user=${DBUSER} port=${DBPORT} (code=exited,status=0/SUCCESS)主PID: 9510 (pgagent_96) CGroup: /system.slice/pgagent_96.service└─9510 /usr/bin/PgAgent/var /var/log/pgagent_96.log hostaddr=127.0.0.1 dbname=postgres user=postgres port=5432 16:42:11 web.frank.net systemd1: PgAgent for PostgreSQL 9.6.10月16日16:42:11 web.frank.net systemd1: Started for PostgreSQL 9.6。
(几十秒后.)
[frank@web]$ systemctl status pgagent_96.service
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 16:42:56 KST; 4min 9s ago
Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 9510 (code=exited, status=1/FAILURE)
16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6...
16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service: main process exited, code=exited, status=1/FAILURE
16 Oct 16:42:56 web.frank.net systemd[1]: Unit pgagent_96.service entered failed state.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service failed.- 我查了一下pgagent日志。(登录/var/ Log /pgagent_96.log ) 警告:无法创建主连接(尝试1):fe_sendauth:未提供密码警告:无法创建主连接(尝试2):fe_sendauth:未提供密码警告:无法创建主连接(尝试3):fe_sendauth:未提供密码警告:无法创建主连接(尝试4):fe_sendauth:未提供密码警告:无法创建主连接(尝试5):fe_sendauth:未提供密码警告:无法创建主连接(尝试6):fe_sendauth:未提供密码警告:无法创建主连接(尝试7):fe_sendauth:未提供密码警告:无法创建主连接(尝试8):fe_sendauth:未提供密码警告:无法创建主连接(尝试9):fe_sendauth:未提供密码警告:无法创建主连接(尝试10):fe_sendauth:没有密码提供的错误:停止pgAgent:无法建立与数据库服务器的主连接。
- 检查了我的.pgpass文件。( .pgpass在弗兰克的主目录中。/家庭/弗兰克) frank@web$ ls -alZ .pgpass -rw?弗兰克弗兰克unconfined_u:object_r:user_home_t:s0 .pgpass frank@web$ ls -al .pgpass rw?1弗兰克弗兰克43 10月16日16:23 .pgpass .pgpass@web$ id -Z -Z frank@web$ id uid=1000( frank ) gid=1000( frank ) groups=1000(Frank)10(轮子) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
- 检查了我的pg_hba.conf。 frank@web$ su - postgres -bash-4.2$ pwd /var/lib/pgsql/9.6/data -bash-4.2美元ls -alZ pg_hba.conf -rwpostgres postgres unconfined_u:object_r:postgresql_db_t:s0 pg_hba.conf( pg_hba.conf )
pg_hba.conf含量
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
#local all all peer
local all all md5
# IPv4 local connections:
#host all all 127.0.0.1/32 ident
host all all 122.32.2.21/32 md5 (122.32.2.21 is my server's IP )
# IPv6 local connections:
#host all all ::1/128 ident
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 ident
#host replication postgres ::1/128 ident- 我这样修改了postgres用户的密码。 postgres=#更改密码‘pwd’的用户邮政;
- .pgpass文件的内容。 本地主机:5432:postgres:postgres:pwd
- 我把.pgpass的所有者从frank改为postgres。但结果是一样的。我对OS用户'root‘(/root)、'postgres’(/var/lib/pgsql )和其他两个在/home中拥有主目录的普通用户进行了相同的测试。
(1)尝试作为OS用户“root”启动
[root@web frank]# ls -al .pgpass
-rw-------. 1 postgres postgres 43 10월 16 17:08 .pgpass
[root@web frank]# ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:user_home_t:s0 .pgpass
[root@web frank]# cat .pgpass
localhost:5432:postgres:postgres:pwd
[root@web frank]# systemctl start pgagent_96 (Here, centos asked frank's OS password )
[root@web frank]# systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 23:33:15 KST; 3s ago
Process: 25928 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 25930 (code=exited, status=1/FAILURE)
16 Oct 23:32:30 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:32:30 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:33:15 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.(2)尝试以OS用户“坦率”的身份开始
[frank@web ~]$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
[frank@web ~]$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:41:03 KST; 1min 21s ago
Process: 26531 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 26533 (code=exited, status=1/FAILURE)
16 Oct 23:40:18 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:40:18 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:41:03 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.(3)尝试以OS用户“postgres”的身份启动
-bash-4.2$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
-bash-4.2$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:54:22 KST; 21s ago
Process: 27511 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 27515 (code=exited, status=1/FAILURE)(4)“根”、“弗兰克”和“postgres”的安全语境
(根)
[root@web ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023(弗兰克)
[frank@web ~]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023( postgres )
-bash-4.2$ id
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023- 当然,我可以像这样登录数据库。但是我不能使用.pgpass文件。 root@web bin# su - postgres -bash-4.2美元psql -h localhost -U postgres psql (9.6.5) postgres=#
- 目前,我认为这个问题可能与.pgpass的安全上下文有关。pgagent_96或systemd可能不允许读取.pgpass文件.(我只是猜测^^ ),我检查了pgagent_96或systemd是否可以读取.pgpass。
(1)我在/etc/profile中设置了PGPASSFILE变量。
export PGDATA=/var/lib/pgsql/9.6/data
export PGPASSFILE=/var/lib/pgsql/.pgpass(2)尝试启动pgagent_96,将.pgpass上下文类型从user_home_t改为postgresql_db_t、bin_t、usr_t,但我也遇到了同样的错误。
-bash-4.2$ echo $PGPASSFILE
/var/lib/pgsql/.pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type bin_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:bin_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type usr_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:usr_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.pgagent_96、systemd、pg_hba.conf的安全上下文
[root@web frank]# ls -alZ /usr/bin/pgagent_96
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/pgagent_96
[root@web frank]# ls -alZ /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
[root@web frank]# ls -alZ /var/lib/pgsql/9.6/data/pg_hba.conf
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 /var/lib/pgsql/9.6/data/pg_hba.conf我不知道该试试什么。请帮帮我..。
更新
- 我安装了postgresql 10,pgagent_10,但是结果是一样的.我想使用systemctl命令启动pgagent。我将使pagent服务自动启动pgagent服务。
回答 1
Stack Overflow用户
回答已采纳
发布于 2018-02-07 16:28:53
我对CentOS 7也有同样的问题。我的解决方案是:
首先,检查服务脚本中的一些变量:
/usr/lib/systemd/system/pgagent_96.service 猫
1)默认情况下,User=pgagent和Group=pgagent --这是.pgpass文件的所有者/组,
你需要一套
chown pgagent:pgagent .pgpass
chmod 0600 .pgpass
2)接下来,将.pgpass文件移动到用户pgagent可以读取该文件的目录中。
(/home/frank对于用户pgagent是不可编辑的,例如,试试postgres安装dir /var/lib/pgsql/9.6或/var/lib/pgsql)
3)检查pgagent_96配置的位置变量,
默认情况下,EnvironmentFile=/etc/pgagent/pgagent_96.conf -您需要编辑这个文件。
下一步,在编辑器中打开pgagent_96.conf并进行更改:
( a)更改变量DBHOST=localhost的值(这很重要)
( b)添加变量PGPASSFILE=/path/your/pgpasfile/..pgpass(PGPASSFILE=/var/lib/pgsql/..pgpass)
在我的例子中,pgagent开始工作时没有问题。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/46822553
复制相关文章
相似问题
腾讯云开发者
