Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-106324

rpm-ostree can't downgrade selinux-policies

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.1
    • bootc
    • None
    • No
    • Important
    • rhel-image-mode
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Downgrade selinux policies persistently to check if my test scenario fails because of a recent selinux policy update.

      What is the impact of this issue to you?

      I can't determine on my system if an issue was introduced due to a specific package version update.

      Please provide the package NVR for which the bug is seen:

      bootc-1.4.0-1.el10.x86_64
      rpm-ostree-2025.9-1.el10.x86_64
      ostree-2025.4-1.el10.x86_64

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Configure SELinux permissive 
        cat /etc/selinux/config|grep SELINUX
SELINUX=permissive
      2. Download a previous version for selinux-policy and selinux-policy-targeted into a folder on the bootc system
      3. rpm-ostree override replace ./*
      4. systemctl reboot

      Expected results

      The rpm-ostree confirms changes were staged and requests to reboot.
      After the reboot,

      rpm -q <package_name>

      confirms that the package was downgraded.

      Actual results

      The rpm-ostree confirms changes were staged and requests to reboot.
      During boot, the ostree-boot-complete.service fails to start and the package versions remain the same

      × ostree-boot-complete.service - OSTree Complete Boot
     Loaded: loaded (/usr/lib/systemd/system/ostree-boot-complete.service; enabled-runtime; preset: disabled)
     Active: failed (Result: exit-code) since Tue 2025-07-29 15:33:10 UTC; 53s ago
 Invocation: ec581bda44ca46819a70757e96823cce
       Docs: man:ostree(1)
    Process: 921 ExecStart=/usr/bin/ostree admin boot-complete (code=exited, status=1/FAILURE)
   Main PID: 921 (code=exited, status=1/FAILURE)
   Mem peak: 3.2M
        CPU: 15ms

Jul 29 15:33:10 localhost systemd[1]: Starting ostree-boot-complete.service - OSTree Complete Boot...
Jul 29 15:33:10 localhost ostree[921]: error: ostree-finalize-staged.service failed on previous boot: Finalizing deployment: Finalizing SELinux policy: Child process exited with code 1
Jul 29 15:33:10 localhost systemd[1]: ostree-boot-complete.service: Main process exited, code=exited, status=1/FAILURE
Jul 29 15:33:10 localhost systemd[1]: ostree-boot-complete.service: Failed with result 'exit-code'.
Jul 29 15:33:10 localhost systemd[1]: Failed to start ostree-boot-complete.service - OSTree Complete Boot.

      Additional information

      1. I assume that selinux would have to relabel the filesystem, so I tried to set that but of course with the read-only filesystem that wouldn't work 
        fixfiles -F onboot 
/usr/sbin/fixfiles: line 352: /.autorelabel: Read-only file system

              wshi@redhat.com Wei Shi
              smitterl@redhat.com Sebastian Mitterle
              Colin Walters Colin Walters
              Xiaofeng Wang Xiaofeng Wang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: