| The selinux_ignore_defaults behavior isn't the main issue here. As Filip Pytloun describes correctly: when the Puppet agent is installed, and the Puppet service starts, it reads all available SElinux policies on the system. The problem starts to occur when additional SElinux policies are installed (via the 'container-selinux' RPM on Red Hat for example). The issue is that the Puppet service isn't aware of these new SElinux policies that are installed on the system - not until the Puppet service is restarted. So, the outcome of a Puppet run via the Puppet service is completely different to the outcome when 'puppet agent --test'. This because the 'puppet agent' command is aware of the all SElinux policies upon invocation, where the Puppet service still needs a restart to 'learn' these new policies. The thing is when (or after) installing SElinux policies via Puppet, the Puppet service should be restarted to become aware of the new policies. Restarting the puppet service during a puppet run creates somekind of inception-like-situation that breaks the puppet run. |
