Cloned BZ#2057497 to explore the feasibility of backporting the fix for that problem to RHEL 9.1. We had a RHEL for Edge customer hit this problem after doing a SELinux policy modification on RHEL 9.0 and then running into problems after upgrading to RHEL 9.1. See https://redhat-internal.slack.com/archives/C01UHN61GSD/p1683290313616689 See https://access.redhat.com/support/cases/#/case/03503744 The upstream issue that tracks this (or part of this) is https://github.com/coreos/rpm-ostree/issues/27. A workaround for this is currently included in Red Hat CoreOS via a systemd unit that runs `semodule -B` early in the boot process: https://github.com/openshift/os/blob/master/overlay.d/05rhcos/usr/lib/systemd/system/rhcos-selinux-policy-upgrade.service https://github.com/openshift/os/blob/master/overlay.d/05rhcos/usr/libexec/rhcos-rebuild-selinux-policy
This is fixed since ostreedev/ostree#2569 in ostree v2022.3, which is shipped in 9.1 already. But note that the fix needs to be in the version we're upgrading *from*. We could try to ship this back to 9.0.z but it's a nontrivial patch.
This also depends on fixes in libsemanage and policy coreutils that I've verified have landed in 9.0 already: - https://bugzilla.redhat.com/show_bug.cgi?id=2049191 in 9.0 - https://bugzilla.redhat.com/show_bug.cgi?id=2049193 in 9.0 - https://bugzilla.redhat.com/show_bug.cgi?id=2104935 in 9.1 backported to 9.0 with https://bugzilla.redhat.com/show_bug.cgi?id=2129140
Link for upstream ostree PR: https://github.com/ostreedev/ostree/pull/2569