Cannot execute puppet agent command due to regression in selinux policy

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 6.9, 7.4
  • selinux-policy-3.7.19-306.el6
  • selinux-policy-3.13.1-166.el7

Issue

We're having trouble with command

# puppet agent --test --noop

Expect command to succeed, but it fails due to AVC denials.

Because of this regression we have to run puppet in permissive domain or downgrade selinux-policy to version 3.7.19-292.el6.

Resolution

Update to

RHEL 6: selinux-policy-3.7.19-307.el6_9.3 released with Advisory RHBA-2018:0176 or newer
RHEL 7: selinux-policy-3.13.1-182.el7 released with Advisory RHBA-2018:0763 or newer

Root Cause

SELinux policy version 3.7.19-306 have restructured puppet module code to follow puppet4 model, including changing /usr/bin/puppet binary to puppet_exec_t.

This introduced a regression where system administrators cannot execute puppet agent command.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.