Index: cloud-init/cloudinit/CloudConfig/cc_puppet.py
===================================================================
--- cloud-init.orig/cloudinit/CloudConfig/cc_puppet.py
+++ cloud-init/cloudinit/CloudConfig/cc_puppet.py
@@ -23,6 +23,12 @@ import StringIO
 import ConfigParser
 import cloudinit.CloudConfig as cc
 
+try:
+    import selinux
+    HAVE_LIBSELINUX = True
+except ImportError:
+    HAVE_LIBSELINUX = False
+
 def handle(name,cfg,cloud,log,args):
     # If there isn't a puppet key in the configuration don't do anything
     if not cfg.has_key('puppet'): return
@@ -58,6 +64,8 @@ def handle(name,cfg,cloud,log,args):
                 ca_fh.close()
                 os.chown('/var/lib/puppet/ssl/certs/ca.pem',
                          pwd.getpwnam('puppet').pw_uid, 0)
+                if HAVE_LIBSELINUX and selinux.is_selinux_enabled():
+                    selinux.restorecon('/var/lib/puppet', recursive=True)
             else:
                 #puppet_conf_fh.write("\n[%s]\n" % (cfg_name))
                 # If puppet.conf already has this section we don't want to write it again
@@ -81,6 +89,8 @@ def handle(name,cfg,cloud,log,args):
             os.rename('/etc/puppet/puppet.conf','/etc/puppet/puppet.conf.old')
             with open('/etc/puppet/puppet.conf', 'wb') as configfile:
                 puppet_config.write(configfile)
+            if HAVE_LIBSELINUX and selinux.is_selinux_enabled():
+                selinux.restorecon('/etc/puppet/puppet.conf')
     # Set puppet default file to automatically start
     subprocess.check_call(['sed', '-i',
                            '-e', 's/^START=.*/START=yes/',