[CentOS] httpd stopped working under SELinux so I had to turn SELinux off. libxml2.so.2: failed to map segment from shared object: Permission denied

Sun Mar 28 06:18:07 UTC 2010
Aleksey Tsalolikhin <atsaloli.tech at gmail.com>

On Thu, Mar 25, 2010 at 12:49 AM, A. Kirillov <nevis2us at infoline.su> wrote:
>> CentOS 5.4 64-bit with SELinux, happily running for over a year, suddenly
>> httpd fails to start up, getting an error message like:
>>
>> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
>> Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2:
>> failed to map segment from shared object: Permission denied
>>
>> I turned off SELinux and was able to start httpd.
>>
>> But what went wrong?  And how to fix it and turn SELinux back on?
>>
>> SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t )
>> and "restorecon -n libxml.so.2.6.26" does not return anything.
>>
>> No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages.


OK, here's what happened:

We had added  /opt/PostgreSQL/8.4/lib to LD_LIBRARY_PATH in
/etc/profile as we wanted our in-house python daemon to use PostgreSQL 8.4
client as we were seeing memory leak using 8.1 but not 8.4.

Turned out there was a libxml2.so.2 in the PostgreSQL lib directory
and the httpd was trying
to pick it up instead of /usr/lib64/libxml2.so.2, and failing as it
had a "usr_t" instead of "lib_t" label.

[root at hwd-ddc-app01-prod01 modules]# ldd /etc/httpd/modules/libphp5.so
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b9640e52000)
        libaspell.so.15 => /usr/lib64/libaspell.so.15 (0x00002b964108a000)
        libpspell.so.15 => /usr/lib64/libpspell.so.15 (0x00002b964135a000)
        libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x00002b964155c000)
        libcurl.so.3 => /usr/lib64/libcurl.so.3 (0x00002b9641795000)
        libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00002b96419d2000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00002b9641be3000)
        libpcre.so.0 => /lib64/libpcre.so.0 (0x00002b9641df7000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b9642013000)
        libm.so.6 => /lib64/libm.so.6 (0x00002b9642229000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002b96424ac000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b96426b0000)

        libxml2.so.2 => /opt/PostgreSQL/8.4/lib/libxml2.so.2
(0x00002b96428c9000)  <----- our culprit

        libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002b9642b08000)
        libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b9642d36000)
        libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b9642fcc000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b96431f1000)
        libssl.so.6 => /lib64/libssl.so.6 (0x00002b96433f3000)
        libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b964363e000)
        libidn.so.11 => /usr/lib64/libidn.so.11 (0x00002b964398f000)
        libc.so.6 => /lib64/libc.so.6 (0x00002b9643bc0000)
        libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00002b9643f18000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00002b9644218000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003c3e000000)
        libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002b9644427000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b964462f000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b9644832000)
        libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b9644a4a000)
[root at hwd-ddc-app01-prod01 modules]# ls -l /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x 1 root daemon 4115398 Dec 10 02:41
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root at hwd-ddc-app01-prod01 modules]# ls -lZ /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x  root daemon user_u:object_r:usr_t
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root at hwd-ddc-app01-prod01 modules]#

I fixed this by adding "unset LD_LIBRARY_PATH" to /etc/init.d/httpd. Now we load
/usr/lib64/libxml2.so.2 which has the correct label (lib_t)

I think I'll change this by moving the LD_LIBRARY_PATH setting from /etc/profile
into the startup script for the python daemon, so I can have a vanilla
/etc/init.d/httpd

Thank you very much for your help!
Aleksey