我可以在 SELinux 中使用 .pgpass 吗? [centos7, pgagent_96, postgresql 9.6.5]
Can I use .pgpass in SELinux? [centos7, pgagent_96, postgresql 9.6.5]
.pgpass 似乎不起作用。你能检查一下我的 pgagent 设置吗?
OS : centos 7 ( I did NOT disable selinux )
Database : postgresql 9.6.5
pgagent : pgagent_96 3.4.0-9.rhel7 ( installed package using yum )
- 我以'frank'
用户登录centos服务器
在启动 pgagent 之前,我检查了 pgagent 的状态。 (我没有启用 pgagent_96 服务。)
[frank@web]$ systemctl status pgagent_96.service
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: inactive (dead)
我启动了 pgagent。乍一看,它看起来很成功。但是几十秒后,它无法创建连接并死亡。
(启动 CentOs 时问我 frank 的 OS 密码。)
[frank@web]$ systemctl start pgagent_96.service
[frank@web]$ systemctl status pgagent_96.service
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: active (running) since 2017-10-16 16:42:11 KST; 5s ago
Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 9510 (pgagent_96)
CGroup: /system.slice/pgagent_96.service
└─9510 /usr/bin/pgagent_96 -s /var/log/pgagent_96.log hostaddr=127.0.0.1 dbname=postgres user=postgres port=5432
16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6...
16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
(几十秒后...)
[frank@web]$ systemctl status pgagent_96.service
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 16:42:56 KST; 4min 9s ago
Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 9510 (code=exited, status=1/FAILURE)
16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6...
16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service: main process exited, code=exited, status=1/FAILURE
16 Oct 16:42:56 web.frank.net systemd[1]: Unit pgagent_96.service entered failed state.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service failed.
我检查了 pgagent 日志。 ( 登录 /var/log/pgagent_96.log )
WARNING: Couldn't create the primary connection (attempt 1): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 2): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 3): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 4): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 5): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 6): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 7): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 8): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 9): fe_sendauth: no password supplied
WARNING: Couldn't create the primary connection (attempt 10): fe_sendauth: no password supplied
ERROR: Stopping pgAgent: Couldn't establish the primary connection with the database server.
检查了我的 .pgpass 文件。 (.pgpass 在 frank 的主目录中。/home/frank)
[frank@web]$ ls -alZ .pgpass
-rw-------. frank frank unconfined_u:object_r:user_home_t:s0 .pgpass
[frank@web]$ ls -al .pgpass
-rw-------. 1 frank frank 43 16 Oct 16:23 .pgpass
[frank@web]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[frank@web]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
检查了我的 pg_hba.conf。
[frank@web]$ su - postgres
-bash-4.2$ pwd
/var/lib/pgsql/9.6/data
-bash-4.2$ ls -alZ pg_hba.conf
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 pg_hba.conf( pg_hba.conf )
[pg_hba.conf]
的内容
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
#local all all peer
local all all md5
# IPv4 local connections:
#host all all 127.0.0.1/32 ident
host all all 122.32.2.21/32 md5 (122.32.2.21 is my server's IP )
# IPv6 local connections:
#host all all ::1/128 ident
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 ident
#host replication postgres ::1/128 ident
我这样修改了postgres用户的密码
postgres=# ALTER USER postgres WITH PASSWORD 'pwd';
.pgpass 文件的内容。
localhost:5432:postgres:postgres:pwd
我将 .pgpass 的所有者、组从 frank 更改为 postgres。但结果是一样的。我为 OS 用户 'root' (/root)、'postgres' (/var/lib/pgsql) 和其他两个在 /home 中有主目录的普通用户测试了同样的东西。
(1)尝试以 OS 用户 'root'
身份启动
[root@web frank]# ls -al .pgpass
-rw-------. 1 postgres postgres 43 10월 16 17:08 .pgpass
[root@web frank]# ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:user_home_t:s0 .pgpass
[root@web frank]# cat .pgpass
localhost:5432:postgres:postgres:pwd
[root@web frank]# systemctl start pgagent_96 (Here, centos asked frank's OS password )
[root@web frank]# systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 23:33:15 KST; 3s ago
Process: 25928 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 25930 (code=exited, status=1/FAILURE)
16 Oct 23:32:30 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:32:30 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:33:15 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
(2)尝试以OS用户'frank'
开始
[frank@web ~]$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
[frank@web ~]$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:41:03 KST; 1min 21s ago
Process: 26531 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 26533 (code=exited, status=1/FAILURE)
16 Oct 23:40:18 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:40:18 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:41:03 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
(3)尝试以 OS 用户 'postgres'
身份启动
-bash-4.2$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
-bash-4.2$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:54:22 KST; 21s ago
Process: 27511 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 27515 (code=exited, status=1/FAILURE)
(4) 'root' 和 'frank' 和 'postgres'
的安全上下文
(根)
[root@web ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(坦率)
[frank@web ~]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
( postgres )
-bash-4.2$ id
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
当然可以这样登录数据库。但是我不能使用.pgpass文件。
[root@web bin]# su - postgres
-bash-4.2$ psql -h localhost -U postgres
psql (9.6.5)
postgres=#
目前,我认为这个问题可能与.pgpass 的安全上下文有关。 pgagent_96 或 systemd 可能不允许读取 .pgpass 文件...(只是我的猜测 ^^ )我检查了 pgagent_96 或 systemd 是否可以读取 .pgpass.
(1) 我在 /etc/profile 中设置了 PGPASSFILE 变量
[/etc/profile的内容]
export PGDATA=/var/lib/pgsql/9.6/data
export PGPASSFILE=/var/lib/pgsql/.pgpass
(2) 试图开始 pgagent_96 将 .pgpass 上下文类型从 user_home_t 更改为 postgresql_db_t、bin_t、usr_t。但是我得到了同样的错误。
-bash-4.2$ echo $PGPASSFILE
/var/lib/pgsql/.pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type bin_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:bin_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type usr_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:usr_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
[ pgagent_96、systemd、pg_hba.conf]
的安全上下文
[root@web frank]# ls -alZ /usr/bin/pgagent_96
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/pgagent_96
[root@web frank]# ls -alZ /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
[root@web frank]# ls -alZ /var/lib/pgsql/9.6/data/pg_hba.conf
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 /var/lib/pgsql/9.6/data/pg_hba.conf
现在,我不知道我应该尝试什么。请帮助我...
更新
- 我安装了 postgresql 10,pgagent_10。但结果是一样的...我想使用 systemctl 命令启动 pgagent。我将启用 pagent 服务以自动启动 pgagent 服务。
我在 CentOS 7 上遇到了同样的问题。我给你的解决方案是:
首先,检查服务脚本中的一些变量:
cat /usr/lib/systemd/system/pgagent_96.service
1) 默认 User=pgagent 和 Group=pgagent - 这是您的 .pgpass 文件的 owner/group,
你需要设置
chown pgagent:pgagent.pgpass
chmod 0600.pgpass
2) 接下来,将 .pgpass 文件移动到用户 pgagent 可以读取该文件的目录中
(/home/frank 对用户 pgagent 不可重用,例如,尝试你的 postgres 安装目录 /var/lib/pgsql/9.6 或 /var/lib/pgsql)
3) 检查 pgagent_96 配置的位置变量,
默认情况下 EnvironmentFile=/etc/pgagent/pgagent_96.conf - 你需要编辑这个文件。
下一步,在编辑器中打开 pgagent_96.conf 并进行更改:
a) 更改变量 DBHOST=localhost 的值(这很重要)
b) 添加变量 PGPASSFILE=/path/your/pgpasfile/.pgpass (PGPASSFILE=/var/lib/pgsql/.pgpass)
在我的案例中,pgagent 开始正常工作。
.pgpass 似乎不起作用。你能检查一下我的 pgagent 设置吗?
OS : centos 7 ( I did NOT disable selinux )
Database : postgresql 9.6.5
pgagent : pgagent_96 3.4.0-9.rhel7 ( installed package using yum )
- 我以'frank' 用户登录centos服务器
在启动 pgagent 之前,我检查了 pgagent 的状态。 (我没有启用 pgagent_96 服务。)
[frank@web]$ systemctl status pgagent_96.service ● pgagent_96.service - PgAgent for PostgreSQL 9.6 Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) Active: inactive (dead)
我启动了 pgagent。乍一看,它看起来很成功。但是几十秒后,它无法创建连接并死亡。 (启动 CentOs 时问我 frank 的 OS 密码。)
[frank@web]$ systemctl start pgagent_96.service [frank@web]$ systemctl status pgagent_96.service ● pgagent_96.service - PgAgent for PostgreSQL 9.6 Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) Active: active (running) since 2017-10-16 16:42:11 KST; 5s ago Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS) Main PID: 9510 (pgagent_96) CGroup: /system.slice/pgagent_96.service └─9510 /usr/bin/pgagent_96 -s /var/log/pgagent_96.log hostaddr=127.0.0.1 dbname=postgres user=postgres port=5432 16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6... 16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
(几十秒后...)
[frank@web]$ systemctl status pgagent_96.service
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 16:42:56 KST; 4min 9s ago
Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 9510 (code=exited, status=1/FAILURE)
16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6...
16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service: main process exited, code=exited, status=1/FAILURE
16 Oct 16:42:56 web.frank.net systemd[1]: Unit pgagent_96.service entered failed state.
16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service failed.
我检查了 pgagent 日志。 ( 登录 /var/log/pgagent_96.log )
WARNING: Couldn't create the primary connection (attempt 1): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 2): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 3): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 4): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 5): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 6): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 7): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 8): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 9): fe_sendauth: no password supplied WARNING: Couldn't create the primary connection (attempt 10): fe_sendauth: no password supplied ERROR: Stopping pgAgent: Couldn't establish the primary connection with the database server.
检查了我的 .pgpass 文件。 (.pgpass 在 frank 的主目录中。/home/frank)
[frank@web]$ ls -alZ .pgpass -rw-------. frank frank unconfined_u:object_r:user_home_t:s0 .pgpass [frank@web]$ ls -al .pgpass -rw-------. 1 frank frank 43 16 Oct 16:23 .pgpass [frank@web]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [frank@web]$ id uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
检查了我的 pg_hba.conf。
[frank@web]$ su - postgres -bash-4.2$ pwd /var/lib/pgsql/9.6/data -bash-4.2$ ls -alZ pg_hba.conf -rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 pg_hba.conf( pg_hba.conf )
[pg_hba.conf]
的内容# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
#local all all peer
local all all md5
# IPv4 local connections:
#host all all 127.0.0.1/32 ident
host all all 122.32.2.21/32 md5 (122.32.2.21 is my server's IP )
# IPv6 local connections:
#host all all ::1/128 ident
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 ident
#host replication postgres ::1/128 ident
我这样修改了postgres用户的密码
postgres=# ALTER USER postgres WITH PASSWORD 'pwd';
.pgpass 文件的内容。
localhost:5432:postgres:postgres:pwd
我将 .pgpass 的所有者、组从 frank 更改为 postgres。但结果是一样的。我为 OS 用户 'root' (/root)、'postgres' (/var/lib/pgsql) 和其他两个在 /home 中有主目录的普通用户测试了同样的东西。
(1)尝试以 OS 用户 'root'
身份启动 [root@web frank]# ls -al .pgpass
-rw-------. 1 postgres postgres 43 10월 16 17:08 .pgpass
[root@web frank]# ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:user_home_t:s0 .pgpass
[root@web frank]# cat .pgpass
localhost:5432:postgres:postgres:pwd
[root@web frank]# systemctl start pgagent_96 (Here, centos asked frank's OS password )
[root@web frank]# systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 2017-10-16 23:33:15 KST; 3s ago
Process: 25928 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 25930 (code=exited, status=1/FAILURE)
16 Oct 23:32:30 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:32:30 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:33:15 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
(2)尝试以OS用户'frank'
开始 [frank@web ~]$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
[frank@web ~]$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:41:03 KST; 1min 21s ago
Process: 26531 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 26533 (code=exited, status=1/FAILURE)
16 Oct 23:40:18 web.frank.net systemd[1]: Starting PgAgent for Postgre....
16 Oct 23:40:18 web.frank.net systemd[1]: Started PgAgent for PostgreS....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service: main pro...E
16 Oct 23:41:03 web.frank.net systemd[1]: Unit pgagent_96.service ente....
16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
(3)尝试以 OS 用户 'postgres'
身份启动 -bash-4.2$ systemctl start pgagent_96 (Here, centos asked frank's OS password )
-bash-4.2$ systemctl status pgagent_96
● pgagent_96.service - PgAgent for PostgreSQL 9.6
Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 월 2017-10-16 23:54:22 KST; 21s ago
Process: 27511 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS)
Main PID: 27515 (code=exited, status=1/FAILURE)
(4) 'root' 和 'frank' 和 'postgres'
的安全上下文(根)
[root@web ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(坦率)
[frank@web ~]$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
( postgres )
-bash-4.2$ id
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
当然可以这样登录数据库。但是我不能使用.pgpass文件。
[root@web bin]# su - postgres -bash-4.2$ psql -h localhost -U postgres psql (9.6.5) postgres=#
目前,我认为这个问题可能与.pgpass 的安全上下文有关。 pgagent_96 或 systemd 可能不允许读取 .pgpass 文件...(只是我的猜测 ^^ )我检查了 pgagent_96 或 systemd 是否可以读取 .pgpass.
(1) 我在 /etc/profile 中设置了 PGPASSFILE 变量 [/etc/profile的内容]
export PGDATA=/var/lib/pgsql/9.6/data
export PGPASSFILE=/var/lib/pgsql/.pgpass
(2) 试图开始 pgagent_96 将 .pgpass 上下文类型从 user_home_t 更改为 postgresql_db_t、bin_t、usr_t。但是我得到了同样的错误。
-bash-4.2$ echo $PGPASSFILE
/var/lib/pgsql/.pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type bin_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:bin_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
-bash-4.2$ chcon --type usr_t .pgpass
-bash-4.2$ ls -alZ .pgpass
-rw-------. postgres postgres unconfined_u:object_r:usr_t:s0 .pgpass
-bash-4.2$ systemctl start pgagent_96
====> failed to start pgAgent_96. same error.
[ pgagent_96、systemd、pg_hba.conf]
的安全上下文[root@web frank]# ls -alZ /usr/bin/pgagent_96
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/pgagent_96
[root@web frank]# ls -alZ /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
[root@web frank]# ls -alZ /var/lib/pgsql/9.6/data/pg_hba.conf
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 /var/lib/pgsql/9.6/data/pg_hba.conf
现在,我不知道我应该尝试什么。请帮助我...
更新
- 我安装了 postgresql 10,pgagent_10。但结果是一样的...我想使用 systemctl 命令启动 pgagent。我将启用 pagent 服务以自动启动 pgagent 服务。
我在 CentOS 7 上遇到了同样的问题。我给你的解决方案是:
首先,检查服务脚本中的一些变量:
cat /usr/lib/systemd/system/pgagent_96.service
1) 默认 User=pgagent 和 Group=pgagent - 这是您的 .pgpass 文件的 owner/group,
你需要设置
chown pgagent:pgagent.pgpass
chmod 0600.pgpass
2) 接下来,将 .pgpass 文件移动到用户 pgagent 可以读取该文件的目录中
(/home/frank 对用户 pgagent 不可重用,例如,尝试你的 postgres 安装目录 /var/lib/pgsql/9.6 或 /var/lib/pgsql)
3) 检查 pgagent_96 配置的位置变量,
默认情况下 EnvironmentFile=/etc/pgagent/pgagent_96.conf - 你需要编辑这个文件。
下一步,在编辑器中打开 pgagent_96.conf 并进行更改:
a) 更改变量 DBHOST=localhost 的值(这很重要)
b) 添加变量 PGPASSFILE=/path/your/pgpasfile/.pgpass (PGPASSFILE=/var/lib/pgsql/.pgpass)
在我的案例中,pgagent 开始正常工作。