From c732e5b1b455d11c0c62ac6ec0cb36391b58cdab Mon Sep 17 00:00:00 2001
From: Cockpituous <cockpituous@cockpit-project.org>
Date: Wed, 29 Apr 2026 23:58:34 +0000
Subject: [PATCH 1/2] images: Update centos-9-stream image

Closes #8975
---
 images/centos-9-stream | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/centos-9-stream b/images/centos-9-stream
index 1c9c94712f..0f917045a3 120000
--- a/images/centos-9-stream
+++ b/images/centos-9-stream
@@ -1 +1 @@
-centos-9-stream-845aef8d8eaa333e58da7d080e21d63a1c013618426c928d10ede5098389fa38.qcow2
\ No newline at end of file
+centos-9-stream-5916936800cbda02a0efd9dad439e4d4485cd19b2d69ef0c945645c6fc652ad0.qcow2
\ No newline at end of file

From cc3ea2d220c101875ec2b444f31dfafa64d35f94 Mon Sep 17 00:00:00 2001
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Date: Wed, 6 May 2026 10:46:15 +0200
Subject: [PATCH 2/2] rhel.setup: workaround selinux-policy version mismatch

We get an error sometimes when updating our centos-9-stream image: it
gets a newer version of selinux-policy than our centos-9-bootc image,
which is a problem because we can't have a newer version for building
than we'll end up running with and centos-9-stream builds for the
centos-9-bootc image.

On Fedora we deal with this by pinning back to the version of
selinux-policy from the original release repository (ie: not -updates).
We can't do that on CentOS, but we can similarly arbitrarily pick an
"old enough" version and just hardcode that.
---
 images/scripts/rhel.setup | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/images/scripts/rhel.setup b/images/scripts/rhel.setup
index c254d0e0ba..621603ecca 100755
--- a/images/scripts/rhel.setup
+++ b/images/scripts/rhel.setup
@@ -421,9 +421,22 @@ EOF
     version=$(cut -d '-' -f 2 <<< "$IMAGE")
     su builder -c "/usr/bin/mock --verbose --no-bootstrap-image -i $(/var/lib/testvm/build-deps.sh "$opsys $version")"
 
-    # We need to make sure mock has the same selinux-policy as we do
+    # cockpit-ws-selinux has Requires: selinux-policy >= {build version}, so we need to
+    # ensure that mock's selinux-policy is old enough for any target image.
+    # For centos-9-stream: use an older version from koji so that packages built here
+    # can install on centos-9-bootc, which may lag behind centos-9-stream.
+    # https://github.com/cockpit-project/bots/pull/8975
     mkdir /tmp/selinux-policy-rpms
-    dnf download --downloaddir /tmp/selinux-policy-rpms selinux-policy{,-devel,-targeted}
+    if [ "$IMAGE" = "centos-9-stream" ]; then
+        selinux_vr="38.1.76-1.el9"
+        koji_url="https://kojihub.stream.centos.org/kojifiles/packages/selinux-policy"
+        for p in selinux-policy selinux-policy-devel selinux-policy-targeted; do
+            curl -fsS -L -o "/tmp/selinux-policy-rpms/${p}-${selinux_vr}.noarch.rpm" \
+                "${koji_url}/${selinux_vr%-*}/${selinux_vr##*-}/noarch/${p}-${selinux_vr}.noarch.rpm"
+        done
+    else
+        dnf download --downloaddir /tmp/selinux-policy-rpms selinux-policy{,-devel,-targeted}
+    fi
     su builder -c "/usr/bin/mock --install /tmp/selinux-policy-rpms/*.rpm"
 fi