diff --git a/0001-Fix-bwrap-usage-for-mutate-os-release.patch b/0001-Fix-bwrap-usage-for-mutate-os-release.patch
new file mode 100644
index 0000000..8e12a33
--- /dev/null
+++ b/0001-Fix-bwrap-usage-for-mutate-os-release.patch
@@ -0,0 +1,99 @@
+From e2bcf01ac131725572091a042eb1ab8ce83b64f0 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Wed, 28 Apr 2021 13:27:36 -0400
+Subject: [PATCH] Fix bwrap usage for mutate-os-release
+
+Followup to https://pagure.io/fedora-infrastructure/issue/9909
+
+In the refactor we were passing `unified_core: true` unconditionally which was wrong,
+as that implies using fuse.  Anyways what we really want here is an immutable bwrap
+and not `rofiles-fuse` annyways.  So refactor things to use that.
+
+From https://kojipkgs.fedoraproject.org//work/tasks/7579/66867579/runroot.log
+```
+fuse: device not found, try 'modprobe fuse' first
+fuse: device not found, try 'modprobe fuse' first
+bwrap: execvp realpath: No such file or directory
+fusermount: failed to unmount /tmp/rpmostree-rofiles-fuseAAphRY: Invalid argument
+fusermount: failed to unmount /tmp/rpmostree-rofiles-fuseSCLs24: Invalid argument
+error: Updating os-release with commit version: Running realpath: bwrap(realpath): Child process killed by signal 1
+```
+---
+ rust/src/bwrap.rs       |  5 ++++-
+ rust/src/composepost.rs | 19 +++++++++++++------
+ rust/src/lib.rs         |  2 +-
+ 3 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/rust/src/bwrap.rs b/rust/src/bwrap.rs
+index 282b4f1b..35b54f36 100644
+--- a/rust/src/bwrap.rs
++++ b/rust/src/bwrap.rs
+@@ -383,7 +383,10 @@ impl Bubblewrap {
+     }
+ 
+     /// Execute the container, capturing stdout.
+-    fn run_captured(&mut self, cancellable: Option<&gio::Cancellable>) -> Result<glib::Bytes> {
++    pub(crate) fn run_captured(
++        &mut self,
++        cancellable: Option<&gio::Cancellable>,
++    ) -> Result<glib::Bytes> {
+         self.launcher.set_flags(gio::SubprocessFlags::STDOUT_PIPE);
+         let (child, argv0) = self.spawn()?;
+         let (stdout, stderr) = child.communicate(None, cancellable)?;
+diff --git a/rust/src/composepost.rs b/rust/src/composepost.rs
+index 437fd4f2..50c7dc08 100644
+--- a/rust/src/composepost.rs
++++ b/rust/src/composepost.rs
+@@ -411,11 +411,11 @@ pub fn compose_postprocess(
+         compose_postprocess_default_target(&rootfs_dfd, t)?;
+     }
+ 
+-    compose_postprocess_mutate_os_release(rootfs_dfd, treefile, next_version)?;
+     treefile.write_compose_json(rootfs_dfd)?;
+ 
+     let etc_guard = crate::core::prepare_tempetc_guard(rootfs_dfd.as_raw_fd())?;
+     // These ones depend on the /etc path
++    compose_postprocess_mutate_os_release(rootfs_dfd, treefile, next_version)?;
+     compose_postprocess_remove_files(rootfs_dfd, treefile)?;
+     compose_postprocess_add_files(rootfs_dfd, treefile)?;
+     etc_guard.undo()?;
+@@ -444,11 +444,18 @@ fn compose_postprocess_mutate_os_release(
+     // find the real path to os-release using bwrap; this is an overkill but safer way
+     // of resolving a symlink relative to a rootfs (see discussions in
+     // https://github.com/projectatomic/rpm-ostree/pull/410/)
+-    let argv = &vec!["realpath".to_string(), "/etc/os-release".to_string()];
+-    let path = crate::bwrap::bubblewrap_run_sync(rootfs_dfd.as_raw_fd(), argv, true, true)
+-        .context("Running realpath")?;
+-    let path = String::from_utf8(path).context("Parsing realpath")?;
+-    let path = path.trim_start_matches("/").trim_end();
++    let mut bwrap = crate::bwrap::Bubblewrap::new_with_mutability(
++        rootfs_dfd,
++        crate::ffi::BubblewrapMutability::Immutable,
++    )?;
++    bwrap.append_child_argv(&["realpath", "/etc/os-release"]);
++    let cancellable = &gio::Cancellable::new();
++    let cancellable = Some(cancellable);
++    let path = bwrap.run_captured(cancellable)?;
++    let path = std::str::from_utf8(&path)
++        .context("Parsing realpath")?
++        .trim_start_matches("/")
++        .trim_end();
+     let path = if path.is_empty() {
+         // fallback on just overwriting etc/os-release
+         "etc/os-release"
+diff --git a/rust/src/lib.rs b/rust/src/lib.rs
+index 4c562d06..614bb948 100644
+--- a/rust/src/lib.rs
++++ b/rust/src/lib.rs
+@@ -64,7 +64,7 @@ pub mod ffi {
+     }
+ 
+     #[derive(Debug)]
+-    enum BubblewrapMutability {
++    pub(crate) enum BubblewrapMutability {
+         Immutable,
+         RoFiles,
+         MutateFreely,
+-- 
+2.30.2
+
diff --git a/rpm-ostree.spec b/rpm-ostree.spec
index 0c012c3..f9d501c 100644
--- a/rpm-ostree.spec
+++ b/rpm-ostree.spec
@@ -4,13 +4,14 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2021.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 URL: https://github.com/coreos/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
 # in the upstream git.  It also contains vendored Rust sources.
 Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
 Patch0: 0001-bwrap-Fix-selftest-to-be-truly-immutable.patch
+Patch1: 0001-Fix-bwrap-usage-for-mutate-os-release.patch
 
 ExclusiveArch: %{rust_arches}
 
@@ -211,6 +212,9 @@ $PYTHON autofiles.py > files.devel \
 
 %files devel -f files.devel
 %changelog
+* Wed Apr 28 2021 Colin Walters <walters@verbum.org> - 2021.4-3
+- Backport another patch for https://pagure.io/fedora-infrastructure/issue/9909
+
 * Tue Apr 27 2021 Colin Walters <walters@verbum.org> - 2021.4-2
 - Backport patch for https://pagure.io/fedora-infrastructure/issue/9909