我可以在SELinux中使用.pgpass吗? [centos7,pgagent_96,postgresql 9.6.5]

时间:2017-10-19 03:51:42

标签: postgresql centos7 selinux pgadmin-4 pgagent

.pgpass似乎无法正常工作。你能检查一下我的行李设置吗?

OS : centos 7   ( I did NOT disable selinux )

Database : postgresql 9.6.5

pgagent : pgagent_96 3.4.0-9.rhel7  ( installed package using  yum )
  1. 我以'frank'用户身份登录centos服务器

  2. 在开始pgagent之前,我检查了pgagent的状态。 (我没有启用pgagent_96服务。)

    [frank@web]$ systemctl status pgagent_96.service

● pgagent_96.service - PgAgent for PostgreSQL 9.6

Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: inactive (dead)

  3. 我开始服用pgagent。起初它看起来很成功。但经过几十秒,它未能建立连接而死亡。 (虽然启动CentOs问我frank的操作系统密码。)

    [frank@web]$ systemctl start pgagent_96.service
[frank@web]$ systemctl status pgagent_96.service
● pgagent_96.service - PgAgent for PostgreSQL 9.6
   Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
   Active: active (running) since 2017-10-16 16:42:11 KST; 5s ago
  Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
 Main PID: 9510 (pgagent_96)
   CGroup: /system.slice/pgagent_96.service
   └─9510 /usr/bin/pgagent_96 -s /var/log/pgagent_96.log hostaddr=127.0.0.1 dbname=postgres user=postgres port=5432

16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6...
16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.

    4. (几秒钟后......)

       [frank@web]$ systemctl status pgagent_96.service
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6
       Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since 2017-10-16 16:42:56 KST; 4min 9s ago
      Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
     Main PID: 9510 (code=exited, status=1/FAILURE)

    16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6...
    16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
    16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service: main process exited, code=exited, status=1/FAILURE
    16 Oct 16:42:56 web.frank.net systemd[1]: Unit pgagent_96.service entered failed state.
    16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service failed.

    1. 我检查了pgagent日志。 (登录/var/log/pgagent_96.log)

      WARNING: Couldn't create the primary connection (attempt 1): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 2): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 3): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 4): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 5): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 6): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 7): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 8): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 9): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 10): fe_sendauth: no password supplied
ERROR: Stopping pgAgent: Couldn't establish the primary connection with the database server.

    2. 检查了我的.pgpass文件。 (.pgpass位于frank的主目录./ home / frank)

      [frank@web]$ ls -alZ .pgpass
-rw-------. frank frank unconfined_u:object_r:user_home_t:s0 .pgpass
[frank@web]$ ls -al .pgpass
-rw-------. 1 frank frank 43 16 Oct 16:23 .pgpass
[frank@web]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[frank@web]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

    3. 检查了我的pg_hba.conf。

      [frank@web]$ su - postgres
-bash-4.2$ pwd
/var/lib/pgsql/9.6/data
-bash-4.2$ ls -alZ pg_hba.conf
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 pg_hba.conf( pg_hba.conf )

      4. [pg_hba.conf的内容] 

      # TYPE  DATABASE        USER            ADDRESS                 METHOD
# "local" is for Unix domain socket connections only
#local   all             all                                     peer
local   all             all                                md5

# IPv4 local connections:
#host    all             all             127.0.0.1/32            ident
host    all   all   122.32.2.21/32       md5    (122.32.2.21  is my server's IP )

# IPv6 local connections:
#host    all             all             ::1/128                 ident
host    all             all             ::1/128                 md5

# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     postgres                                peer
#host    replication     postgres        127.0.0.1/32            ident
#host    replication     postgres        ::1/128                 ident

      1. 我改变了postgres用户的密码。

        postgres=# ALTER USER postgres WITH PASSWORD 'pwd';

      2. .pgpass文件的内容。

        localhost:5432:postgres:postgres:pwd

      3. 我将.pgpass的所有者,团体从frank改为postgres。但结果是一样的。我为OS用户'root'(/ root),'postgres'(/ var / lib / pgsql)以及在/ home中有主目录的其他两个普通用户测试了同样的东西。

        4. (1)尝试以OS用户“root”

        开始 
            [root@web frank]# ls -al .pgpass
    -rw-------. 1 postgres postgres 43 10월 16 17:08 .pgpass
    [root@web frank]# ls -alZ .pgpass
    -rw-------. postgres postgres unconfined_u:object_r:user_home_t:s0 .pgpass
    [root@web frank]# cat .pgpass
    localhost:5432:postgres:postgres:pwd
    [root@web frank]# systemctl start pgagent_96      (Here, centos asked frank's OS password )
    [root@web frank]# systemctl status pgagent_96
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6
       Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since 2017-10-16 23:33:15 KST; 3s ago
      Process: 25928 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
     Main PID: 25930 (code=exited, status=1/FAILURE)

    16 Oct 23:32:30 web.frank.net systemd[1]: Starting PgAgent for Postgre....
    16 Oct 23:32:30 web.frank.net systemd[1]: Started PgAgent for PostgreS....
    16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service: main pro...E
    16 Oct 23:33:15 web.frank.net systemd[1]: Unit pgagent_96.service ente....
    16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service failed.
    Hint: Some lines were ellipsized, use -l to show in full.

        (2)尝试以OS用户'frank'开始

            [frank@web ~]$ systemctl start pgagent_96    (Here, centos asked frank's OS password )
    [frank@web ~]$ systemctl status pgagent_96
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6
       Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since 월 2017-10-16 23:41:03 KST; 1min 21s ago
      Process: 26531 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
     Main PID: 26533 (code=exited, status=1/FAILURE)

    16 Oct 23:40:18 web.frank.net systemd[1]: Starting PgAgent for Postgre....
    16 Oct 23:40:18 web.frank.net systemd[1]: Started PgAgent for PostgreS....
    16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service: main pro...E
    16 Oct 23:41:03 web.frank.net systemd[1]: Unit pgagent_96.service ente....
    16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service failed.
    Hint: Some lines were ellipsized, use -l to show in full.

        (3)尝试以OS用户'postgres'开始

            -bash-4.2$ systemctl start pgagent_96       (Here, centos asked frank's OS password )
    -bash-4.2$ systemctl status pgagent_96
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6
       Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since 월 2017-10-16 23:54:22 KST; 21s ago
      Process: 27511 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
     Main PID: 27515 (code=exited, status=1/FAILURE)

        (4)'root','frank'和'postgres'的安全上下文

        (root)

        [root@web ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

        (坦白)

        [frank@web ~]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

        (postgres)

        -bash-4.2$ id
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

        1. 当然,我可以像这样登录数据库。但我不能使用.pgpass文件。

          [root@web bin]# su - postgres
-bash-4.2$ psql -h localhost -U postgres
psql (9.6.5)
postgres=#

        2. 目前,我认为此问题可能与.pgpass的安全上下文有关。 pgagent_96或systemd可能不允许读取.pgpass文件...(只是我的猜测^^)我检查了pgagent_96或systemd是否可以读取.pgpass。

          3. (1)我在/ etc / profile中设置了PGPASSFILE变量 [/ etc / profile的内容] 

          export PGDATA=/var/lib/pgsql/9.6/data
export PGPASSFILE=/var/lib/pgsql/.pgpass

          (2)尝试启动pgagent_96将.pgpass上下文类型从user_home_t更改为postgresql_db_t,bin_t,usr_t。但是我得到了同样的错误。

          -bash-4.2$ echo $PGPASSFILE
/var/lib/pgsql/.pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
     ====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type bin_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:bin_t:s0   .pgpass
-bash-4.2$ systemctl start pgagent_96
    ====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type usr_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:usr_t:s0   .pgpass
-bash-4.2$ systemctl start pgagent_96
    ====> failed to start pgAgent_96. same error.

          [pgagent_96,systemd,pg_hba.conf的安全上下文] 

          [root@web frank]# ls -alZ /usr/bin/pgagent_96
-rwxr-xr-x. root root system_u:object_r:bin_t:s0   /usr/bin/pgagent_96
[root@web frank]# ls -alZ /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
[root@web frank]# ls -alZ /var/lib/pgsql/9.6/data/pg_hba.conf
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 /var/lib/pgsql/9.6/data/pg_hba.conf

          现在,我不知道应该尝试什么。请帮帮我......

          更新

          1. 我安装了postgresql 10,pgagent_10。但结果是一样的......我想用systemctl命令启动pgagent。我将启用pagent服务以自动启动pgagent服务。

1 个答案:

答案 0 :(得分:1)

我在CentOS 7遇到了同样的问题。我的解决方案是:
首先,检查服务脚本中的一些变量:

cat /usr/lib/systemd/system/pgagent_96.service

1)默认情况下 User = pgagent Group = pgagent - 这是.pgpass文件的所有者/组,
你需要设置
chown pgagent:pgagent .pgpass
chmod 0600 .pgpass
2)接下来,将.pgpass文件移动到用户pgagent可以读取该文件的目录中 (/ home / frank对于用户pgagent不可更改,例如,尝试你的postgres安装目录/var/lib/pgsql/9.6或/ var / lib / pgsql)
3)检查pgagent_96配置的位置变量,
默认 EnvironmentFile = / etc / pgagent / pgagent_96.conf - 您需要编辑此文件。

下一步,在编辑器中打开 pgagent_96.conf 并进行更改:
a)改变变量DBHOST = localhost的值(这很重要)
b)添加变量PGPASSFILE = / path / your / pgpasfile / .pgpass(PGPASSFILE = / var / lib / pgsql / .pgpass)

就我而言,pgagent开始没有问题。

相关问题
最新问题