I can recreate the issue when upgrading to 0.8.1-11 from 0.8.1-10 but not when downgrading from -11 to -10.

Here is one relevant scripts in swtpm-selinux-0.8.1-11.fc40.noarch:

postinstall scriptlet (using /bin/sh):
for pp in /usr/share/selinux/packages/swtpm.pp \
          /usr/share/selinux/packages/swtpm_svirt.pp \
          /usr/share/selinux/packages/swtpm_libvirt.pp; do

if [ -e /etc/selinux/config ]; then
  . /etc/selinux/config
fi
_policytype=targeted
if [ -z "${_policytype}" ]; then
  _policytype="targeted"
fi
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
  /usr/sbin/rm -rf /var/lib/selinux/${_policytype}/active/modules/400/extra_varrun        <--------------
  /usr/sbin/semodule -n -s ${_policytype} -X 200 -i ${pp} || :
  /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
  /usr/libexec/selinux/varrun-convert.sh ${_policytype}
fi

done
restorecon /usr/bin/swtpm


Here's the source from the rpm spec:

%post selinux
for pp in /usr/share/selinux/packages/swtpm.pp \
          /usr/share/selinux/packages/swtpm_svirt.pp \
          /usr/share/selinux/packages/swtpm_libvirt.pp; do
  %selinux_modules_install -s %{selinuxtype} ${pp}
done
restorecon %{_bindir}/swtpm

None of these have /usr/sbin/rm explicitly in them but they use macros:

/usr/lib/rpm/macros.d/macros.selinux-policy

# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_install("s:p:") \
if [ -e /etc/selinux/config ]; then \
  . /etc/selinux/config \
fi \
_policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
  _policytype="targeted" \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
  %{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
  %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
  %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
fi \
%{nil}


_bindir changed?? I don't see changes in the swtpm.spec file related to _bindir.

Here's the --spec output for the -10 package:

postinstall scriptlet (using /bin/sh):
for pp in /usr/share/selinux/packages/swtpm.pp \
          /usr/share/selinux/packages/swtpm_svirt.pp \
          /usr/share/selinux/packages/swtpm_libvirt.pp; do

if [ -e /etc/selinux/config ]; then
  . /etc/selinux/config
fi
_policytype=targeted
if [ -z "${_policytype}" ]; then
  _policytype="targeted"
fi
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
  /usr/sbin/semodule -n -s ${_policytype} -X 200 -i ${pp} || :
  /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
fi

done
restorecon /usr/bin/swtpm


Ah, rm was added recently. I guess it must have been a temporary issue with the SELinux macros where rm was added maybe with {_sbindir}/rm .

FEDORA-2024-cc2e1f4871 (swtpm-0.8.1-12.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-cc2e1f4871

FEDORA-2024-cc2e1f4871 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-cc2e1f4871`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-cc2e1f4871

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

*** Bug 2284009 has been marked as a duplicate of this bug. ***

FEDORA-2024-cc2e1f4871 (swtpm-0.8.1-12.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Yeah, this was a bug in the selinux macros, I fixed it: https://src.fedoraproject.org/rpms/selinux-policy/c/e66f4c2f3673833ae0aac94fd60dbeb061c5b088?branch=rawhide

anything built while the macros were broken would have this bug if it used the broken macro. I couldn't figure out a reliable way to search and find them all, though.