/etc merge during deployment finalization creating invalid SELinux policy

[hal7df]

I'm running a bootc/ostree-based system using a customized Universal Blue/Fedora Atomic image. Recently, I discovered that my system has ceased applying updates due to an SELinux policy error during deployment finalization:

Jan 21 18:51:55 aurora ostree[16670]: Copying /etc changes: 491 modified, 0 removed, 154 added
Jan 21 18:51:55 aurora ostree[16670]: Copying /etc changes: 491 modified, 0 removed, 154 added
Jan 21 18:51:55 aurora ostree[16670]: Refreshing SELinux policy
Jan 21 18:52:00 aurora ostree[16707]: /sbin/setfiles: /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for wildcard /usr/s?bin/incus.
Jan 21 18:52:00 aurora ostree[16707]: /sbin/setfiles: /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for wildcard /usr/s?bin/incus-.*.
Jan 21 18:52:00 aurora ostree[16707]: /sbin/setfiles: /etc/selinux/final/targeted/contexts/files/file_contexts: Multiple same specifications for wildcard /usr/lib/systemd/system/incus.*.
Jan 21 18:52:00 aurora ostree[16707]: /etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
Jan 21 18:52:00 aurora ostree[16706]: libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
Jan 21 18:52:00 aurora ostree[16706]: semodule:  Failed!
Jan 21 18:52:00 aurora ostree[16670]: Refreshed SELinux policy in 5188 ms
Jan 21 18:52:00 aurora ostree[16670]: error: Finalizing deployment: Finalizing SELinux policy: Child process exited with code 1
Jan 21 18:52:00 aurora systemd[1]: ostree-finalize-staged.service: Control process exited, code=exited, status=1/FAILURE
Jan 21 18:52:00 aurora systemd[1]: ostree-finalize-staged.service: Failed with result 'exit-code'.
Jan 21 18:52:00 aurora systemd[1]: Stopped ostree-finalize-staged.service - OSTree Finalize Staged Deployment.
Jan 21 18:52:00 aurora systemd[1]: ostree-finalize-staged.service: Consumed 5.944s CPU time, 358.1M memory peak.

What's interesting is that the SELinux policy in the updated image appears to be valid, as does the policy in the image that I can currently boot to. However, diffing the "official" SELinux policy in my current (booted) image with the effective policy in /etc suggests something strange:

❯ diff file_contexts /usr/etc/selinux/targeted/contexts/files/file_contexts
227d226
< /run/pcp(/.*)?        system_u:object_r:pcp_var_run_t:s0
946d944
< /var/lib/pcp(/.*)?    system_u:object_r:pcp_var_lib_t:s0
965d962
< /var/log/pcp(/.*)?    system_u:object_r:pcp_log_t:s0
2364d2360
< /var/lib/pcp/pmdas/.*/Remove  --      system_u:object_r:pcp_plugin_exec_t:s0
2366,2367d2361
< /var/lib/pcp/pmdas/.*/Install --      system_u:object_r:pcp_plugin_exec_t:s0
< /var/lib/pcp/pmdas/.*/Upgrade --      system_u:object_r:pcp_plugin_exec_t:s0
3795,3796d3788
< /usr/bin/pmcd --      system_u:object_r:pcp_pmcd_exec_t:s0
< /usr/bin/pmie --      system_u:object_r:pcp_pmie_exec_t:s0
4234d4225
< /run/pmcd\.socket     --      system_u:object_r:pcp_var_run_t:s0
4327d4317
< /usr/bin/pmproxy      --      system_u:object_r:pcp_pmproxy_exec_t:s0
4520d4509
< /usr/bin/pmlogger     --      system_u:object_r:pcp_pmlogger_exec_t:s0
5045,5046d5033
< /etc/rc\.d/init\.d/pmcd       --      system_u:object_r:pcp_pmcd_initrc_exec_t:s0
< /etc/rc\.d/init\.d/pmie       --      system_u:object_r:pcp_pmie_initrc_exec_t:s0
5414d5400
< /usr/share/pcp/lib/pmie       --      system_u:object_r:pcp_pmie_exec_t:s0
5451d5436
< /etc/rc\.d/init\.d/pmproxy    --      system_u:object_r:pcp_pmproxy_initrc_exec_t:s0
5557d5541
< /etc/rc\.d/init\.d/pmlogger   --      system_u:object_r:pcp_pmlogger_initrc_exec_t:s0
5623,5626d5606
< /usr/libexec/pcp/bin/pmcd     --      system_u:object_r:pcp_pmcd_exec_t:s0
< /usr/libexec/pcp/bin/pmie     --      system_u:object_r:pcp_pmie_exec_t:s0
< /usr/libexec/pcp/lib/pmcd     --      system_u:object_r:pcp_pmcd_initrc_exec_t:s0
< /usr/libexec/pcp/lib/pmie     --      system_u:object_r:pcp_pmie_initrc_exec_t:s0
5844d5823
< /usr/share/pcp/lib/pmlogger   --      system_u:object_r:pcp_pmlogger_exec_t:s0
5906,5907d5884
< /usr/libexec/pcp/bin/pmproxy  --      system_u:object_r:pcp_pmproxy_exec_t:s0
< /usr/libexec/pcp/lib/pmproxy  --      system_u:object_r:pcp_pmproxy_initrc_exec_t:s0
5931d5907
< /run/pmlogger\.primary\.socket        -l      system_u:object_r:pcp_var_run_t:s0
5980,5981d5955
< /usr/libexec/pcp/bin/pmlogger --      system_u:object_r:pcp_pmlogger_exec_t:s0
< /usr/libexec/pcp/lib/pmlogger --      system_u:object_r:pcp_pmlogger_initrc_exec_t:s0

Basically, there are a bunch of policies present in my local /etc that aren't present in the booted image's default SELinux policy (nor are they present in the policy for the image I'm trying to update to). I have never touched this file -- not manually, or in the build process for my custom image. Nor does a cursory glance at my immediate upstream suggest they have made any changes to this file either. So, all of these lines are presumably orphaned by upstream Fedora changes. As a result, my SELinux policy has slowly been drifting away from upstream through no fault or action of my own.

My best read of this situation is that, during the merge, OSTree is not removing the older policy lines, so they end up looking like "user changes" in subsequent merges. Perhaps there's some more comparison between the current /etc and /usr/etc of the booted deployment that could be done to ensure that policy lines that aren't modified by the user get deleted if they are deleted upstream?

[hal7df]

I was ultimately able to work around this by disabling the incus SELinux module then upgrading (sudo semodule -d incus && sudo bootc upgrade), but that doesn't guarantee that this won't happen again.