ptrace attached 1. log in as a ldap user 2. use semodule -i 3. ??? 4. FAIL
Created attachment 283457 [details] ptrace of semodule (just the fun bits)
Thanks. Indeed, the semodule application wants to get some information from the user. Since you're using an LDAP-managed authentication/authorization system, the libnss contacts the OpenLDAP. However, you use LDAPS (secure) instead of LDAP, and the current SELinux policy for sysnet_use_ldap() didn't allow that. I'll add dev_read_rand() dev_read_urand() to that interface in base r2.
I tested it from your overlay. It worked :D
In hardened-dev overlay
In portage tree (~arch)