Description of problem:
With RHEL 7.3 the output of 'semodule -l' has changed and does not list the version of the loaded policy anymore. In case the Puppet's selmodule syncversion for a specific policy is set to true Puppet tries to parse the currently loaded policy by running 'semodule -l':
Debug: Selmodule[gnome_internal_postfix](provider=semodule): Checking syncversion on gnome_internal_postfix
Debug: Executing '/usr/sbin/semodule --list'
Debug: Selmodule[gnome_internal_postfix](provider=semodule): load version
Debug: Executing '/usr/sbin/semodule --upgrade /usr/share/selinux/custom/gnome/gnome_internal_postfix.pp'
Notice: /Stage[main]/Selinux::Postfix/Selmodule[gnome_internal_postfix]/syncversion: syncversion changed 'false' to 'true'
With RHEL 7.3 this fails:
semodule -l | head -n 5
abrt
accountsd
acct
afs
aiccu
With RHEL 6 it works as expected:
semodule -l | head -n 5
abrt 1.2.0
accountsd 1.0.0
ada 1.4.0
afs 1.5.3
aiccu 1.0.0
Version-Release number of selected component (if applicable):
puppet-3.6.2-3.el7.noarch
How reproducible:
Always.
Steps to Reproduce:
1. Create a custom SELinux policy
2. Apply it to your node (an example: https://infrastructure.gnome.org/browse/puppet/tree/modules/selinux/manifests/bugzilla.pp)
3. Puppet agent run
Actual results:
syncversion is called over and over again.
Expected results:
If the policy has been loaded already a syncversion should not be needed.
I have the same issue.
In RHEL7.2 there was no issue. The semodule also listed the versions:
vrempet@li-lc-1437 ~
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
vrempet@li-lc-1437 ~
$ sudo semodule -l | head -n 5
abrt 1.4.1
accountsd 1.1.0
acct 1.6.0
afs 1.9.0
aiccu 1.1.0