What were you trying to do that didn't work?

When running on a rhel-bootc image and using dnf to install an entitled package using --transient, SELinux denials are logged against rhsm-package-profile-uploader for trying to write to the following files:

• /usr/share/rpm/rpmdb.sqlite-shm
• /usr/share/rpm/rpmdb.sqlite-wal

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

dnf-4.14.0-25.el9.noarch
dnf-data-4.14.0-25.el9.noarch
dnf-plugins-core-4.3.0-20.el9.noarch
libdnf-plugin-subscription-manager-1.29.45-1.el9.x86_64
librhsm-0.0.3-9.el9.x86_64
python3-subscription-manager-rhsm-1.29.45-1.el9.x86_64
selinux-policy-38.1.53-2.el9.noarch
selinux-policy-devel-38.1.53-2.el9.noarch
selinux-policy-doc-38.1.53-2.el9.noarch
selinux-policy-targeted-38.1.53-2.el9.noarch
subscription-manager-1.29.45-1.el9.x86_64
subscription-manager-rhsm-certificates-20220623-1.el9.noarch

How reproducible is this bug?

Always on a system running in image mode when dnf installing content on the overlay.

Steps to reproduce

# subscription-manager register
# subscription-manager config --rhsm.package_profile_on_trans=1
# dnf install zsh -y --quiet --transient
# ausearch -m avc -i -ts recent

Expected results

• no SELinux denials

Not sure... /usr is a known Read-only filesystem on a rhel-bootc image, yet the install is being consciously done on an overlayfs.  To get rid of the denials, is a policy change needed?, or should the rhsm-package-profile-uploader be aware of the Read-only filesystem?

Actual results

• SELinux denials appear