rpm-ostree leaves selinux file_contexts.subs_dist in a critical state if the selinux-policy package is replaced

[RoyalOughtness]

Describe the bug

rpm-ostree is supposed to post-process /usr/etc/selinux/{name}/contexts/files/file_contexts.subs_dist (https://github.com/coreos/rpm-ostree/blob/main/rust/src/composepost.rs#L397) and crucially, comment out the mapping from /var/home to /home.

This seems to correlate with any time our builds install a version of selinux-policy-devel that mismatches the existing selinux-policy, since it forces the installation of a new selinux-policy version, and this seems to correlate with the mapping above not being commented out. Example: https://github.com/secureblue/secureblue/actions/runs/19967820701/job/57264259119

This is critical because it means that a simple restorecon can change the entire homedir contents for a user to default_t, breaking it.

Reproduction steps

1. Run a build of an bootc image based on a Fedora Atomic bootc image
2. Install a version of selinux-policy-devel higher than the existing version (forcing selinux-policy to be upgraded)
3. Observe that /usr/etc/selinux/{name}/contexts/files/file_contexts.subs_dist does not have the /var/home to /home mapping commented out.

Expected behavior

1. Run a build of an bootc image based on a Fedora Atomic bootc image
2. Install a version of selinux-policy-devel higher than the existing version (forcing selinux-policy to be upgraded)
3. The /var/home to /home mapping should be commented out in the resulting image

Actual behavior

1. Run a build of an bootc image based on a Fedora Atomic bootc image
2. Install a version of selinux-policy-devel higher than the existing version (forcing selinux-policy to be upgraded)
3. Observe that /usr/etc/selinux/{name}/contexts/files/file_contexts.subs_dist does not have the /var/home to /home mapping commented out.

System details

https://github.com/secureblue/secureblue/actions/runs/19967820701/job/57264259119
https://github.com/secureblue/secureblue/blob/live/recipes/securecore/recipe-securecore-main.yml#L17

Additional information

No response

[HastD]

For reference, here's the exact line in the above linked build where you can see a reinstall of selinux-policy being forced by installation of a newer version of selinux-policy-devel: https://github.com/secureblue/secureblue/actions/runs/19967820701/job/57264259119#step:13:2987

[RoyalOughtness]

Potentially related:

#5381
fedora-selinux/selinux-policy#2791