Cannot Complete rpm-ostree upgrade: "failed to finalize previous deployment"

Hi, I’ve recently tried to upgrade my Fedora 42 Silverblue desktop system several times over the past few days and I have failed to complete the upgrade. After successfully running rpm-ostree upgrade then rebooting the machine, it reverts to the previous deployment and rpm-ostree status has the following warning at the top:

State: idle
Warning: failed to finalize previous deployment
         error: Finalizing deployment: Finalizing SELinux policy: Child process exited with code 1
         check `journalctl -b -1 -u ostree-finalize-staged.service`

When I check the system log with journalctl, I get the following error message:

Finished ostree-finalize-staged.service - OSTree Finalize Staged Deployment.
Stopping ostree-finalize-staged.service - OSTree Finalize Staged Deployment...
Finalizing staged deployment
Copying /etc changes: 60 modified, 2 removed, 158 added
Copying /etc changes: 60 modified, 2 removed, 158 added
Refreshing SELinux policy
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/100/ssh/cil:291
Failed to resolve AST
semodule:  Failed!
Refreshed SELinux policy in 2237 ms
error: Finalizing deployment: Finalizing SELinux policy: Child process exited with code 1
ostree-finalize-staged.service: Control process exited, code=exited, status=1/FAILURE
ostree-finalize-staged.service: Failed with result 'exit-code'.
Stopped ostree-finalize-staged.service - OSTree Finalize Staged Deployment.

I am trying to upgrade from silverblue version 42.20251006.0 (2025-10-06T00:30:10Z) to whatever is the latest. I have also tried to upgrade to fedora 43 beta by running rpm-ostree rebase fedora:fedora/43/x86_64/silverblue. Both the upgrade and rebase attempts succeed the first stage, then roll back to my current version of Fedora 42 after rebooting.

Anyway, does anyone know what causes this or how to determine the root cause so I can try to fix it? If not, is there any additional information I can provide to figure it out?

Thanks.

I got a little bit more clarity into the cause of this for me. I was able to run rpm-ostree deploy with versions from 42.20251007.0 through 42.20251009.0 and complete the upgrade by rebooting, so now my system is based on 42.20251009.0. If I run rpm-ostree deploy 42.20251010.0 and reboot, I have the same problem as before.
Between 1009.0 and 1010.0, there are only upgrades to pipewire and selinux-policy/selinux-policy-targeted (42.9-1.fc42 to 42.12-1.fc42) so it’s probably the selinux upgrade preventing the upgrade but I still don’t know what I can do about it.

Do you have any additional packages installed/layered? Please provide the output of rpm-ostree status -v

Ok, here is the output:

rpm-ostree status -v
State: idle
Warning: failed to finalize previous deployment
         error: Finalizing deployment: Finalizing SELinux policy: Child process exited with code 1
         check `journalctl -b -1 -u ostree-finalize-staged.service`
AutomaticUpdates: disabled
Deployments:
● fedora:fedora/42/x86_64/silverblue (index: 0)
                  Version: 42.20251009.0 (2025-10-09T00:27:14Z)
               BaseCommit: fc60f4cd679a933f6b4f55b3cf7a6f6f623ae5e065ea4d36e7d7518230ad905f
                           ├─ repo-0 (2025-04-09T11:06:59Z)
                           ├─ repo-1 (2025-10-09T00:15:45Z)
                           └─ repo-2 (2025-10-09T00:17:29Z)
                   Commit: e3ca98371ae042556833ea038c00dffe8b28a95500c391fb70509b846bbfe473
                           ├─ fedora (2025-04-09T11:06:59Z)
                           ├─ fedora-cisco-openh264 (2025-03-19T16:53:39Z)
                           ├─ rpmfusion-free (2025-04-12T09:12:27Z)
                           ├─ rpmfusion-free-updates (2025-10-17T06:40:32Z)
                           ├─ rpmfusion-nonfree (2025-04-12T09:32:45Z)
                           ├─ rpmfusion-nonfree-updates (2025-10-17T07:04:09Z)
                           ├─ updates (2025-10-24T02:36:20Z)
                           └─ updates-archive (2025-10-24T03:35:23Z)
                   Staged: no
                StateRoot: fedora
             GPGSignature: 1 signature
                           Signature made Thu 09 Oct 2025 02:28:31 AM CEST using RSA key ID C8AC4916105EF944
                           Good signature from "Fedora <fedora-42-primary@fedoraproject.org>"
      RemovedBasePackages: noopenh264 2.5.0-2.fc42
          LayeredPackages: adb-enhanced adw-gtk3-theme adwaita-gtk2-theme android-tools
                           ansifilter bat bcc bcc-tools bpftrace bridge-utils bsdcpio
                           bsdtar btop busybox cascadia-code-pl-fonts cascadia-fonts-all
                           cascadia-mono-pl-fonts chafa chromium cmake
                           containernetworking-cni daniel-wikholm-segment16a-fonts
                           daniel-wikholm-segment16b-fonts daniel-wikholm-segment16c-fonts
                           dejavu-fonts-all doas drm-utils dua-cli epiphany fd-find
                           flamegraph flamegraph-stackcollapse
                           flamegraph-stackcollapse-perf flatpak-builder fontforge foot
                           gamescope gdb gdouros-aegean-fonts gdouros-aegyptus-fonts
                           gdouros-akkadian-fonts gdouros-alexander-fonts
                           gdouros-anaktoria-fonts gdouros-analecta-fonts
                           gdouros-aroania-fonts gdouros-asea-fonts gdouros-avdira-fonts
                           gdouros-musica-fonts gfs-bodoni-fonts git git-delta git-lfs gitk
                           gitui gnome-tweaks gnuplot-wx gpac grimmer-proggy-squaresz-fonts
                           grimmer-proggy-tinysz-fonts gstreamer-plugins-espeak
                           gstreamer1-plugin-fmp4 gstreamer1-plugin-gtk4
                           gstreamer1-plugin-openh264 gstreamer1-plugins-bad-free-extras
                           gstreamer1-plugins-base-tools gstreamer1-plugins-good-extras
                           gstreamer1-rtsp-server gstreamer1-rtsp-server-devel
                           gstreamer1-vaapi gucharmap helix htop ibm-plex-fonts-all indent
                           info intel-gpu-tools intel-media-driver java-latest-openjdk
                           ldns-utils libdwarf-tools libguestfs-tools libnice-gstreamer1
                           librsvg2-tools libva-utils libvirt-client
                           libvirt-daemon-config-network libvirt-daemon-kvm meson moreutils
                           neovim net-tools nodejs nss-tools oldstandard-sfd-fonts openh264
                           pass pavucontrol pavumeter perf pipewire-v4l2 plotutils
                           podman-compose poke progress ptpython3 pv python3-neovim.noarch
                           qemu-system-aarch64 qemu-user-binfmt ripgrep
                           rsms-inter-fonts.noarch rsms-inter-vf-fonts seahorse
                           seahorse-nautilus silkscreen-expanded-fonts socat sqlite strace
                           sysprof sysprof-cli tailscale tcpdump tcpflow terminus-fonts
                           texlive-atkinson texlive-lm texlive-tex-gyre thunderbird tig tio
                           tmux tree-sitter-cli unifont unifont-fonts uv v4l-utils valgrind
                           virt-manager virt-viewer visidata wine-fonts wireguard-tools xxd
                           zenity zsh zsh-autosuggestions zsh-syntax-highlighting
            LocalPackages: rpmfusion-free-release-42-1.noarch
                           rpmfusion-nonfree-release-42-1.noarch
             InitramfsEtc: /etc/crypttab

Interestingly, I also ran rpm-ostree reset to bring my system back to the base image, then restarted, then tried to upgrade to the latest and I got the same result with the finalization failing.

I wasn’t able to reproduce this on a fresh SIlverblue VM:

miabbott@fedora:\~$ rpm-ostree status -v
State: idle
AutomaticUpdates: disabled
Deployments:
● fedora:fedora/42/x86_64/silverblue (index: 0)
Version: 42.20251010.0 (2025-10-10T00:28:11Z)
Commit: 014eef15c75d81f58e74485ffdefd501a853bcd283c38a8b4365f9f6ecd230fb
├─ repo-0 (2025-04-09T11:06:59Z)
├─ repo-1 (2025-10-10T00:16:11Z)
└─ repo-2 (2025-10-10T00:17:51Z)
Staged: no
StateRoot: fedora
GPGSignature: 1 signature
Signature made Thu 09 Oct 2025 08:29:29 PM EDT using RSA key ID C8AC4916105EF944
Good signature from “Fedora <fedora-42-primary@fedoraproject.org>”

fedora:fedora/42/x86_64/silverblue (index: 1)
Version: 42.20251009.0 (2025-10-09T00:27:14Z)
Commit: fc60f4cd679a933f6b4f55b3cf7a6f6f623ae5e065ea4d36e7d7518230ad905f
├─ repo-0 (2025-04-09T11:06:59Z)
├─ repo-1 (2025-10-09T00:15:45Z)
└─ repo-2 (2025-10-09T00:17:29Z)
StateRoot: fedora
GPGSignature: 1 signature
Signature made Wed 08 Oct 2025 08:28:31 PM EDT using RSA key ID C8AC4916105EF944
Good signature from “Fedora <fedora-42-primary@fedoraproject.org>”

Your error message shows:

Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/100/ssh/cil:291

Based on a Red Hat KB article (for RHEL 8, so YMMV) - "Failed to resolve typeattributeset statement" error message when updating SELinux policy packages - Red Hat Customer Portal

…it seems that the root cause is “newer SELinux base policy stops shipping some types, causing incompatibility with older external policies”

Looking at the active SELinux policy (from selinux-policy-targeted-42.12-1.fc42.noarch):

$ sudo bunzip2 -c /etc/selinux/targeted/active/modules/100/ssh/cil | head -291 | tail -1
(typeattributeset cil_gen_require sshd_session_t)

An error on line 291 seems to indicate that the sshd_session_t type is the one that would be missing according to your error.

Unfortunately, I’m not sure how to workaround this, especially as you said you already tried rpm-ostree reset to get back to the base image.

You can try looking at ostree admin config-diff to see if there are files in /etc that are modified (marked with a M) that would affect SELinux policy.

I’m getting out of my depth re: SELinux, so not sure if I can be of more help.

Ok, thanks for the advice. It actually led me to the solution. I did have a few modifications to /etc/selinux but I had no idea why since I have no interest in selinux and would never change it intentionally. Anyway, I just did a kind of factory reset on the /etc/selinux directory by running rsync -av /usr/etc/selinux/ /etc/selinux/ and cleaning up a few leftover files that looked like they didn’t belong.

Awesome! Glad you figured it out!