What were you trying to do that didn't work?

When leapp reboots the system on RHEL9 after upgrading, we can see setroubleshootd report AVCs:

setroubleshoot[10728]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file leapp3. For complete SELinux messages run: sealert -l 2de8ab57-98d7-4a63-ae19-4f3a5bbb15dd
setroubleshoot[10728]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file leapp3.
setroubleshoot[10728]: SELinux is preventing /usr/bin/python3.9 from 'read, open' accesses on the file /root/tmp_leapp_py3/leapp3. For complete SELinux messages run: sealert -l 286209e9-55b5-4b75-ae80-3607a94c0b55

These AVCs are expected to happen because the leapp_resume.service unit is "malformed": it tries to execute /root/tmp_leapp_py3/leapp3 while the file is labeled with admin_home_t, hence SELinux would prevent this from happening if the system was booting in Enforcing.

I believe we should make sure the message doesn't even show up, which can be done very easily through creating a wrapper, as shown below:

ExecStart=/bin/sh -c "/root/tmp_leapp_py3/leapp3 upgrade --resume"

With such shell wrapper, the service will then run as initrc_t, which then removes the AVCs completely, thanks to the following rule:

# sesearch -T -s init_t -t shell_exec_t -c process
type_transition init_t shell_exec_t:process initrc_t;

Please provide the package NVR for which bug is seen:

leapp-upgrade-el8toel9-0.19.0-4.el8_9.noarch

How reproducible:

N/A