我可以在SELinux中使用.pgpass吗? [centos7,pgagent_96,postgresql 9.6.5]
[英]Can I use .pgpass in SELinux? [centos7, pgagent_96, postgresql 9.6.5]
问题描述
.pgpass seems to be not working. 
.pgpass似乎无法正常工作。 Could you check my pgagent setting? 你能查一下我的行李设置吗?
OS : centos 7 ( I did NOT disable selinux )
Database : postgresql 9.6.5
pgagent : pgagent_96 3.4.0-9.rhel7 ( installed package using yum )
- I logged on centos server as user 'frank' 我以用户'frank'登录centos服务器
Before starting pgagent, I checked status of pgagent.
在开始pgagent之前,我检查了pgagent的状态。 ( I did not enable pgagent_96 service. ) (我没有启用pgagent_96服务。) [frank@web]$ systemctl status pgagent_96.service ● pgagent_96.service - PgAgent for PostgreSQL 9.6 Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) Active: inactive (dead)I started pgagent.
我开始了pgagent。 At first it looks successful. 起初它看起来很成功。 But after tens of seconds, it failed to create connection and died. 但经过几十秒,它未能建立连接而死亡。 ( While starting CentOs asked me frank's OS password. ) (虽然启动CentOs问我frank的操作系统密码。) [frank@web]$ systemctl start pgagent_96.service [frank@web]$ systemctl status pgagent_96.service ● pgagent_96.service - PgAgent for PostgreSQL 9.6 Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) Active: active (running) since 2017-10-16 16:42:11 KST; 5s ago Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS) Main PID: 9510 (pgagent_96) CGroup: /system.slice/pgagent_96.service └─9510 /usr/bin/pgagent_96 -s /var/log/pgagent_96.log hostaddr=127.0.0.1 dbname=postgres user=postgres port=5432 16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6... 16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
(After tens of seconds... ) (几秒钟后......)
[frank@web]$ systemctl status pgagent_96.service
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 16:42:56 KST; 4min 9s ago
Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 9510 (code=exited, status=1/FAILURE)
16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6...
16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service: main process exited, code=exited, status=1/FAILURE
16 Oct 16:42:56 web.frank.net systemd[1]: Unit pgagent_96.service entered failed state.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service failed.
I checked pgagent log.
我检查了pgagent日志。 ( Log in /var/log/pgagent_96.log ) (登录/var/log/pgagent_96.log) WARNING: Couldn't create the primary connection (attempt 1): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 2): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 3): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 4): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 5): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 6): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 7): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 8): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 9): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 10): fe_sendauth: no password supplied ERROR: Stopping pgAgent: Couldn't establish the primary connection with the database server.Checked my .pgpass file.
检查了我的.pgpass文件。 ( .pgpass is in frank's home directory. /home/frank ) (.pgpass在frank的主目录中./ home / frank) [frank@web]$ ls -alZ .pgpass -rw-------. frank frank unconfined_u:object_r:user_home_t:s0 .pgpass [frank@web]$ ls -al .pgpass -rw-------. 1 frank frank 43 16 Oct 16:23 .pgpass [frank@web]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [frank@web]$ id uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Checked my pg_hba.conf.
检查了我的pg_hba.conf。 [frank@web]$ su - postgres -bash-4.2$ pwd /var/lib/pgsql/9.6/data -bash-4.2$ ls -alZ pg_hba.conf -rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 pg_hba.conf( pg_hba.conf )
[Content of pg_hba.conf] [pg_hba.conf的内容]
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
#local all all peer
local all all md5
# IPv4 local connections:
#host all all 127.0.0.1/32 ident
host all all 122.32.2.21/32 md5 (122.32.2.21 is my server's IP )
# IPv6 local connections:
#host all all ::1/128 ident
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 ident
#host replication postgres ::1/128 ident
I changed postgres user's password like this.
我这样更改了postgres用户的密码。 postgres=# ALTER USER postgres WITH PASSWORD 'pwd';Content of .pgpass file.
.pgpass文件的内容。 localhost:5432:postgres:postgres:pwdI changed owner, group of .pgpass from frank to postgres.
我将.pgpass的所有者,团体从frank改为postgres。 But the result was same. 但结果是一样的。 I tested same thing for OS user 'root' (/root), 'postgres' (/var/lib/pgsql ), and other two normal users who has home directory in /home. 我为OS用户'root'(/ root),'postgres'(/ var / lib / pgsql)和其他两个在/ home中有主目录的普通用户测试了同样的东西。
(1)Try to start as OS user 'root' (1)尝试以OS用户'root'身份启动
[root@web frank]# ls -al .pgpass
-rw-------. 1 postgres postgres 43 10월 16 17:08 .pgpass
[root@web frank]# ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:user_home_t:s0 .pgpass
[root@web frank]# cat .pgpass
localhost:5432:postgres:postgres:pwd
[root@web frank]# systemctl start pgagent_96 (Here, centos asked frank's OS password )
[root@web frank]# systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 23:33:15 KST; 3s ago
Process: 25928 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 25930 (code=exited, status=1/FAILURE)
16 Oct 23:32:30 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:32:30 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:33:15 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
(2)Try to start as OS user 'frank' (2)尝试以操作系统用户'坦诚'开始
[frank@web ~]$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
[frank@web ~]$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:41:03 KST; 1min 21s ago
Process: 26531 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 26533 (code=exited, status=1/FAILURE)
16 Oct 23:40:18 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:40:18 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:41:03 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
(3)Try to start as OS user 'postgres' (3)尝试以OS用户'postgres'开始
-bash-4.2$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
-bash-4.2$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:54:22 KST; 21s ago
Process: 27511 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 27515 (code=exited, status=1/FAILURE)
(4) Security context of 'root' and 'frank' and 'postgres' (4)'root','frank'和'postgres'的安全上下文
( root ) ( 根 )
[root@web ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
( frank ) (坦率地说)
[frank@web ~]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
( postgres ) (postgres)
-bash-4.2$ id
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Of course, I can log in database like this.
当然,我可以像这样登录数据库。 But I can not use .pgpass file. 但是我不能使用.pgpass文件。 [root@web bin]# su - postgres -bash-4.2$ psql -h localhost -U postgres psql (9.6.5) postgres=#Currently, I think this problem may be related to security context of .pgpass.
目前,我认为这个问题可能与.pgpass的安全上下文有关。 pgagent_96 or systemd may not be allowed to read .pgpass file ... ( Just my guess ^^ ) I checked if pgagent_96 or systemd can read .pgpass. pgagent_96或systemd可能不被允许读取.pgpass文件...(只是我的猜测^^)我检查了pgagent_96或systemd是否可以读取.pgpass。
(1) I set PGPASSFILE variable in /etc/profile [Content of /etc/profile] (1)我在/ etc / profile中设置了PGPASSFILE变量[/ etc / profile的内容]
export PGDATA=/var/lib/pgsql/9.6/data
export PGPASSFILE=/var/lib/pgsql/.pgpass
(2) Tried to start pgagent_96 changing .pgpass context type from user_home_t to postgresql_db_t, bin_t, usr_t. (2)尝试启动pgagent_96将.pgpass上下文类型从user_home_t更改为postgresql_db_t,bin_t,usr_t。 But I got same error. 但我得到了同样的错误。
-bash-4.2$ echo $PGPASSFILE
/var/lib/pgsql/.pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type bin_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:bin_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type usr_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:usr_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
[ Security context of pgagent_96, systemd, pg_hba.conf] [pgagent_96,systemd,pg_hba.conf的安全上下文]
[root@web frank]# ls -alZ /usr/bin/pgagent_96
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/pgagent_96
[root@web frank]# ls -alZ /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
[root@web frank]# ls -alZ /var/lib/pgsql/9.6/data/pg_hba.conf
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 /var/lib/pgsql/9.6/data/pg_hba.conf
Now, I don't know what I should try. 现在,我不知道应该尝试什么。 Help me please... 请帮帮我...
UPDATE UPDATE
- I installed postgresql 10, pgagent_10. 我安装了postgresql 10,pgagent_10。 But the result is same... I want to start pgagent using systemctl command. 但结果是一样的......我想用systemctl命令启动pgagent。 I'll enable pagent service to start pgagent service automatically. 我将启用pagent服务以自动启动pgagent服务。
1 个解决方案
解决方案1
1 已采纳 2018-02-07 16:28:53
I had the same problem with CentOS 7. My solution for you is: 我在CentOS 7遇到了同样的问题。我的解决方案是:
as first, check some variables in the service script: 首先,检查服务脚本中的一些变量:
cat /usr/lib/systemd/system/pgagent_96.service cat /usr/lib/systemd/system/pgagent_96.service
1) by default User=pgagent and Group=pgagent - this is owner/group of your .pgpass file, 1)默认情况下User = pgagent和Group = pgagent - 这是.pgpass文件的所有者/组,
you need set 你需要设置
chown pgagent:pgagent .pgpass chown pgagent:pgagent .pgpass
chmod 0600 .pgpass chmod 0600 .pgpass
2) next, move .pgpass file into directory where user pgagent can read this file 2)接下来,将.pgpass文件移动到用户pgagent可以读取该文件的目录中
(/home/frank isn't redable for user pgagent, try, for example, your postgres install dir /var/lib/pgsql/9.6 or /var/lib/pgsql) (/ home / frank不能为用户pgagent重做,例如,试试你的postgres安装目录/var/lib/pgsql/9.6或/ var / lib / pgsql)
3) check variable of location of the pgagent_96 configuration, 3)检查pgagent_96配置的位置变量,
by default EnvironmentFile=/etc/pgagent/pgagent_96.conf - you need edit this file. 默认情况下, EnvironmentFile = / etc / pgagent / pgagent_96.conf - 您需要编辑此文件。
Next step, open pgagent_96.conf in an editor and do make changes: 下一步,在编辑器中打开pgagent_96.conf并进行更改:
a) change value of variable DBHOST=localhost (this is important) a)更改变量DBHOST = localhost的值(这很重要)
b) add variable PGPASSFILE=/path/your/pgpasfile/.pgpass (PGPASSFILE=/var/lib/pgsql/.pgpass) b)添加变量PGPASSFILE = / path / your / pgpasfile / .pgpass(PGPASSFILE = / var / lib / pgsql / .pgpass)
In my case pgagent started working without problems. 在我的情况下,pgagent开始没有问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.