Background:

selinux-policy took out all of the "non-RHEL" policies and put them in a package in EPEL.  One of those selinux policies is mock.  systemd checks the labels of each service before it starts the service, and if the label is not known, then it does not start the service.  systemd does not check to see if we are running in permissive or enabled mode, it just does not start the service.

The problem is that the composes, and the installation iso, inherit the selinux label of the directory they were created in.  By default the composes are created in /var/lib/mock which has the selinux label system_u:object_r:mock_var_lib_t:s0 and all files in installation images get that selinux label.  Thus, if the installation images have the updated selinux-policy, it does not have the mock_var_lib_t label, so when systemd looks up the label it cannot find it, and does not start services.

In a odd chance of fate, Brew (RHEL), does not build their composes in /var/lib/mock, but in a different directory, that has different selinux labels.  Not because of selinux, but for disk management.  They have it setup this way for years.  But because of this setup, the systemd / selinux bug did not affect them.

Proposal:

The best solution will be to get systemd fixed in some way.  But we suspect that is going to take some time.  Meanwhile our CentOS Stream 10 composes are not installable if we have the latest selinux-policy tagged in.

I am proposing that we change the CentOS Stream Koji to build in a different directory with a different selinux label, similar to Brew (RHEL).