Apparmor SSL abstraction does not allow read access to /usr/local/share/ca-certificates

Binary package hint: apparmor

Adding a custom CA certificate to /usr/local/share/ca-certificates and registering it using /usr/sbin/update-ca-certificates, daemon that have been apparmor-ified (such as slapd) cannot access the custom CA certificate.

Below is an example using slapd on lucid:

ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).

Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
  slapd -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
ubuntu@directory:~$ tail -5 /var/log/syslog
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: @(#) $OpenLDAP: slapd 2.4.21 (Mar 30 2011 16:20:36) $#012#011buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: main: TLS init def ctx failed: -1
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: slapd stopped.
Apr 20 15:40:52 ip-10-99-66-29 slapd[8070]: connections_destroy: nothing to destroy.
Apr 20 15:40:52 ip-10-99-66-29 kernel: [86245.846972] type=1503 audit(1303314052.426:36): operation="open" pid=8070 parent=8064 profile="/usr/sbin/slapd" requested_mask="::r" denied_mask="::r" fsuid=106 ouid=0 name="/usr/local/share/ca-certificates/cacert.crt"
ubuntu@directory:~$ sudo aa-complain /usr/sbin/slapd
Setting /usr/sbin/slapd to complain mode.
ubuntu@directory:~$ sudo service slapd start
Starting OpenLDAP: slapd.
ubuntu@directory:~$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config olcTLSCACertificateFile 2>/dev/null | grep cacert
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
ubuntu@directory:~$ ls -l /etc/ssl/certs/cacert.pem
lrwxrwxrwx 1 root root 43 2011-04-19 20:42 /etc/ssl/certs/cacert.pem -> /usr/local/share/ca-certificates/cacert.crt

In the above, slapd does not start because it cannot access the CA cert in /usr/local/share/ca-certificates/cacert.crt, but it will start just fine if it is in complain mode.