[CentOS] httpd stopped working under SELinux so I had to turn SELinux off. libxml2.so.2: failed to map segment from shared object: Permission denied

There was a thread awhile back:
http://lists.centos.org/pipermail/centos/2010-January/088551.html

Sounds like similar issues.. No AVC denials but blocking...

What went wrong? You might want to start by getting a bound on _when_
it went wrong. When was the last time you successfully started httpd?
The problem happened sometime after that. Look in your logs for any
suspicious events. Check /var/log/yum.log. Any new packages? Did a
yum transaction fail (postinstall might be tinkering with SElinux)?
Try "yum-complete-transaction". Any configuration changes since then?
Might want to try "restorecon -rv /etc/httpd" as well.

Kal

Try to turn off the dontaudit rules for domains
that are in the base policy:

semodule -b /usr/share/selinux/targeted/enableaudit.pp

Then you might see the denials in the logs and fix the problem
in your local policy.

HTH

OK, here's what happened:

We had added /opt/PostgreSQL/8.4/lib to LD_LIBRARY_PATH in
/etc/profile as we wanted our in-house python daemon to use PostgreSQL 8.4
client as we were seeing memory leak using 8.1 but not 8.4.

Turned out there was a libxml2.so.2 in the PostgreSQL lib directory
and the httpd was trying
to pick it up instead of /usr/lib64/libxml2.so.2, and failing as it
had a "usr_t" instead of "lib_t" label.

[root at hwd-ddc-app01-prod01 modules]# ldd /etc/httpd/modules/libphp5.so
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b9640e52000)
libaspell.so.15 => /usr/lib64/libaspell.so.15 (0x00002b964108a000)
libpspell.so.15 => /usr/lib64/libpspell.so.15 (0x00002b964135a000)
libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x00002b964155c000)
libcurl.so.3 => /usr/lib64/libcurl.so.3 (0x00002b9641795000)
libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00002b96419d2000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002b9641be3000)
libpcre.so.0 => /lib64/libpcre.so.0 (0x00002b9641df7000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b9642013000)
libm.so.6 => /lib64/libm.so.6 (0x00002b9642229000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002b96424ac000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b96426b0000)

libxml2.so.2 => /opt/PostgreSQL/8.4/lib/libxml2.so.2
(0x00002b96428c9000) <----- our culprit

libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002b9642b08000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b9642d36000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b9642fcc000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b96431f1000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002b96433f3000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b964363e000)
libidn.so.11 => /usr/lib64/libidn.so.11 (0x00002b964398f000)
libc.so.6 => /lib64/libc.so.6 (0x00002b9643bc0000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00002b9643f18000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00002b9644218000)
/lib64/ld-linux-x86-64.so.2 (0x0000003c3e000000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002b9644427000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b964462f000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b9644832000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b9644a4a000)
[root at hwd-ddc-app01-prod01 modules]# ls -l /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x 1 root daemon 4115398 Dec 10 02:41
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root at hwd-ddc-app01-prod01 modules]# ls -lZ /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x root daemon user_u:object_r:usr_t
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root at hwd-ddc-app01-prod01 modules]#

I fixed this by adding "unset LD_LIBRARY_PATH" to /etc/init.d/httpd. Now we load
/usr/lib64/libxml2.so.2 which has the correct label (lib_t)

I think I'll change this by moving the LD_LIBRARY_PATH setting from /etc/profile
into the startup script for the python daemon, so I can have a vanilla
/etc/init.d/httpd

Thank you very much for your help!
Aleksey