Trying to run puppet in an selinux environment (I've tested in with mcs policy) failed because of multiple issues. I've create a minimal custom puppet policy to use in addition to the provided module which contains file contexts and policy rules that works around these issues. 

* the puppet wrapper.sh (used to start puppet) has wrong file context
* init script has wrong file context (although I'm not sure if it's needed)
* the puppet log directory created by the init script has wrong file context
* the puppet-provided "virt-what-cpuid-helper"-script has wrong file context
* init script is not allowed to check for, and create, puppet log directory
* openrc is not allowed to transit to puppet_t context

In addition to this the audit log fills up with lots of attempts of puppet to access stuff, and I'm not sure how much of it is needed. In my policy I have also allowed puppet to read dac and change its own gid.

Reproducible: Always