What were you trying to do that didn't work?

We had to set Requires: container-selinux >= 4:2.237 for MicroShift 4.18 because of missing policies that would prevent containers from starting.

After adding that requirement, we cannot build ostree commits because of "conflicting requests":

cannot install both container-selinux-4:2.237.0-1.rhaos4.18.el9.noarch from 118b081b88ca0ce4914a9c0825ee712747d69bc26d86b11506f2111e69a5da51 and container-selinux-3:2.229.0-1.el9_4.1.noarch from 1ff4bcd01a778f3ddad70bbbc30fa99ca11a4bc0b2f51b410a06d3f0a8a5fea6

With the help of osbuild team I found depsolve json that could reproduce the issue:

"transactions": [
            {
                "package-specs": [
                    "container-selinux"
                ],
                "exclude-specs": [
                    "rng-tools",
                    "bootupd"
                ],
                "repo-ids": [
                    "bf20000dc09a73706ec9e39eb228276720e7be733504756a1f2e675261db15ae", // baseos
                    "b021f2a10e23d276203f67748602396eb93e389fde7027c2574371bd8fd2baac"  // appstream
                ],
                "install_weak_deps": true
            },
            {
                "package-specs": [
                    "container-selinux-4:2.237.0-1.rhaos4.18.el9"
                ],
                "exclude-specs": null,
                "repo-ids": [
                    "bf20000dc09a73706ec9e39eb228276720e7be733504756a1f2e675261db15ae", // baseos
                    "b021f2a10e23d276203f67748602396eb93e389fde7027c2574371bd8fd2baac", // appstream
                    "119b93ab6e27ca92b8308254323b21de5c2db3bb877624ee8fb9faa29c767da4"  // RHOCP 4.18
                ],
                "install_weak_deps": false
{{            }}}
        ],

Here I will quote this message:

• dnf4 won't upgrade a package installed by a previous transaction
• dnf4 will ignore a package name w/o nevra for a previously installed package
• dnf4 will return a conflict if a later transaction specifically requests a newer nevra for a package already installed by a previous transaction
• dnf5 acts differently, it will upgrade the package in later transactions with or without nevra and will not return a conflict (we do not use dnf5 yet)

When I change the depsolve.json to have same repos in both transactions - it works.

What is the impact of this issue to you?

Cannot build working ostree commit with MicroShift 4.18:

• if we enforce the container-selinux version, the commit doesn't build
• if we keep the version, microshift will fail at runtime

Please provide the package NVR for which the bug is seen:

v132

How reproducible is this bug?:

100%

Steps to reproduce

1. Add container-selinux >= 4:2.237 requirement to one of MicroShift's RPMs
2. Try to build ostree commit
3.  

Expected results

ostree commit with microshift 4.18 is build succcesfully

Actual results

blueprint depsolve is successful, actual compose fails

Slack thread: https://redhat-internal.slack.com/archives/C0235DZB0DT/p1771412468082489