First, puppet and puppetmaster are both in /usr/bin not /usr/sbin anymore
And here is what I needed to add to the policy.
module puppetlocal 1.0;
require {
type sendmail_exec_t;
type puppet_t;
type proc_net_t;
type mount_exec_t;
type portage_exec_t;
type passwd_exec_t;
type initrc_notrans_exec_t;
class capability dac_read_search;
class dir search;
class file { execute read open getattr execute_no_trans };
}
#============= puppet_t ==============
allow puppet_t initrc_notrans_exec_t:file execute;
allow puppet_t mount_exec_t:file { execute execute_no_trans };
allow puppet_t passwd_exec_t:file execute;
allow puppet_t portage_exec_t:file execute;
allow puppet_t proc_net_t:dir search;
allow puppet_t proc_net_t:file { read getattr open };
allow puppet_t self:capability dac_read_search;
allow puppet_t sendmail_exec_t:file execute;
-- Matthew Thode
