1. log in as a ldap user
2. use semodule -i
Created attachment 283457 [details]
ptrace of semodule (just the fun bits)
Thanks. Indeed, the semodule application wants to get some information from the user. Since you're using an LDAP-managed authentication/authorization system, the libnss contacts the OpenLDAP. However, you use LDAPS (secure) instead of LDAP, and the current SELinux policy for sysnet_use_ldap() didn't allow that.
to that interface in base r2.
I tested it from your overlay. It worked :D
In hardened-dev overlay
In portage tree (~arch)