From 043650e805d0d533af1b5a0576901450244ca3f0 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 17 Sep 2015 15:40:01 +1000
Subject: [PATCH] Systemd+selinux vs iptables on centos7, round 2

See Ibcb27199f0ecf3b1e3d927be42112e2ebcb5cd79 for part 1

So it turns out that installing the latest systemd and restarting
isn't enough to get this working.  It seems that a "systemctl
daemon-reload" is required between installing iptables-services and
enabling iptables (note, this should *not* be required; the
iptables-services .spec file does a "systemctl preset
iptables.service" which is documented as being equivalent to a
daemon-reload.  You can see this failing in the selinux denials in the
referenced bug).

What does seem to work is upgrading to the latest selinux-policy
before installing iptables, so add this in.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1261747

Change-Id: I4c1983019834d676f99becfde4ffd3f8de19c3a6
---
 install_puppet.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/install_puppet.sh b/install_puppet.sh
index dfb671a956..4a4a47c3e0 100755
--- a/install_puppet.sh
+++ b/install_puppet.sh
@@ -55,8 +55,9 @@ function is_opensuse {
 function _systemd_update {
     # there is a bug (rhbz#1261747) where systemd can fail to enable
     # services due to selinux errors after upgrade.  A work-around is
-    # to install the latest version here and restart the daemon after
-    # it is upgraded.
+    # to install the latest version of selinux and systemd here and
+    # restart the daemon for good measure after it is upgraded.
+    yum install -y selinux-policy
     yum install -y systemd
     systemctl daemon-reload
 }