https://issues.redhat.com/browse/RHEL-59192

https://bugzilla.redhat.com/show_bug.cgi?id=2326348

To reproduce, build any tier for rawhide from the base-images repo (https://gitlab.com/fedora/bootc/base-images). E.g.:

```
$ podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide
...
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext: Operation not supported
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas: Operation not supported
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil: Operation not supported
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll: Operation not supported
...
Could not set context for /etc/selinux/targeted/tmp/commit_num: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/file_contexts: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/file_contexts.homedirs: Operation not supported
```

https://src.fedoraproject.org/rpms/selinux-policy/pull-request/480 fixed it for selinux-policy-targeted itself, but basically any package that installs SELinux modules would need to do the same change. As well, recompiling the policy (like rpm-ostree does during the compose) triggers the warnings. Which I think overall argues for fixing the tooling itself to not warn.

See also https://gitlab.com/fedora/bootc/tracker/-/issues/45

Hi,

I have a similar problem as this issue and was pointed to it by Colin. Is it expected that any package that runs 'semodule' to add a '2 > /dev/null' to their specfile?

My test Dockerfile calls semodule directly to reproduce a problem: https://gitlab.cee.redhat.com/dzickus/restraint-container