Description of problem: With RHEL 7.3 the output of 'semodule -l' has changed and does not list the version of the loaded policy anymore. In case the Puppet's selmodule syncversion for a specific policy is set to true Puppet tries to parse the currently loaded policy by running 'semodule -l': Debug: Selmodule[gnome_internal_postfix](provider=semodule): Checking syncversion on gnome_internal_postfix Debug: Executing '/usr/sbin/semodule --list' Debug: Selmodule[gnome_internal_postfix](provider=semodule): load version Debug: Executing '/usr/sbin/semodule --upgrade /usr/share/selinux/custom/gnome/gnome_internal_postfix.pp' Notice: /Stage[main]/Selinux::Postfix/Selmodule[gnome_internal_postfix]/syncversion: syncversion changed 'false' to 'true' With RHEL 7.3 this fails: semodule -l | head -n 5 abrt accountsd acct afs aiccu With RHEL 6 it works as expected: semodule -l | head -n 5 abrt 1.2.0 accountsd 1.0.0 ada 1.4.0 afs 1.5.3 aiccu 1.0.0 Version-Release number of selected component (if applicable): puppet-3.6.2-3.el7.noarch How reproducible: Always. Steps to Reproduce: 1. Create a custom SELinux policy 2. Apply it to your node (an example: https://infrastructure.gnome.org/browse/puppet/tree/modules/selinux/manifests/bugzilla.pp) 3. Puppet agent run Actual results: syncversion is called over and over again. Expected results: If the policy has been loaded already a syncversion should not be needed.
I have the same issue. In RHEL7.2 there was no issue. The semodule also listed the versions: vrempet@li-lc-1437 ~ $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) vrempet@li-lc-1437 ~ $ sudo semodule -l | head -n 5 abrt 1.4.1 accountsd 1.1.0 acct 1.6.0 afs 1.9.0 aiccu 1.1.0
See also https://bugzilla.redhat.com/show_bug.cgi?id=1392573
Fixed in RHEL 7.3.z via bug #1395733 and in 7.4 by bug #1392573, so closing this against Puppet.