diff --git a/0001-libpriv-postprocess-work-around-semanage-bug.patch b/0001-libpriv-postprocess-work-around-semanage-bug.patch
new file mode 100644
index 0000000..d48f7f4
--- /dev/null
+++ b/0001-libpriv-postprocess-work-around-semanage-bug.patch
@@ -0,0 +1,71 @@
+From 479050e7540dc90de9ec6f49960b98e095537224 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Wed, 2 Nov 2022 12:19:09 -0400
+Subject: [PATCH] libpriv/postprocess: work around semanage bug
+
+There is a bug in the latest semanage code which causes an invocation of
+`semodule --rebuild-if-modules-changed` to still write a policy even
+though nothing changed since a full policy build. On FCOS and RHCOS,
+this bug is triggered as early as `ostree admin deploy` in cosa when
+creating the disk images. This results in shipping images with a policy
+diff baked in.
+
+Hack around this by immediately rerunning
+`semodule --rebuild-if-modules-changed` after building the policy.
+
+Fixes: https://github.com/openshift/os/issues/1036
+---
+ src/libpriv/rpmostree-postprocess.cxx | 20 +++++++++++++++-----
+ tests/kolainst/nondestructive/misc.sh |  5 +++++
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
+index fc5c3cb0..bfadaa73 100644
+--- a/src/libpriv/rpmostree-postprocess.cxx
++++ b/src/libpriv/rpmostree-postprocess.cxx
+@@ -387,11 +387,21 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
+     {
+       g_print ("Recompiling policy\n");
+ 
+-      /* Now regenerate SELinux policy so that postprocess scripts from users and from us
+-       * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
+-      rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
+-      ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
+-                  error);
++      {
++        /* Now regenerate SELinux policy so that postprocess scripts from users and from us
++         * (e.g. the /etc/default/useradd incision) that affect it are baked in. */
++        rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-nB") };
++        ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
++                    error);
++      }
++
++      /* Temporary workaround for https://github.com/openshift/os/issues/1036. */
++      {
++        rust::Vec child_argv = { rust::String ("semodule"), rust::String ("-n"),
++                                 rust::String ("--rebuild-if-modules-changed") };
++        ROSCXX_TRY (bubblewrap_run_sync (rootfs_dfd, child_argv, false, (bool)unified_core_mode),
++                    error);
++      }
+     }
+ 
+   auto container = treefile.get_container ();
+diff --git a/tests/kolainst/nondestructive/misc.sh b/tests/kolainst/nondestructive/misc.sh
+index f98a13f0..e43dc87d 100755
+--- a/tests/kolainst/nondestructive/misc.sh
++++ b/tests/kolainst/nondestructive/misc.sh
+@@ -7,6 +7,11 @@ cd $(mktemp -d)
+ libtest_prepare_offline
+ libtest_enable_repover 0
+ 
++# Sanity-check the policy isn't marked as modified
++if ostree admin config-diff | grep 'selinux/targeted/policy'; then
++    assert_not_reached "selinux policy is marked as modified"
++fi
++
+ # Ensure multicall is correctly set up and working.
+ R_O_DIGEST=$(sha512sum $(which rpm-ostree) | cut -d' ' -f1)
+ O_C_DIGEST=$(sha512sum $(which /usr/libexec/libostree/ext/ostree-container) | cut -d' ' -f1)
+-- 
+2.38.1
+
diff --git a/rpm-ostree.spec b/rpm-ostree.spec
index aca54b8..1203c38 100644
--- a/rpm-ostree.spec
+++ b/rpm-ostree.spec
@@ -4,7 +4,7 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2022.15
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 URL: https://github.com/coreos/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
@@ -12,6 +12,7 @@ URL: https://github.com/coreos/rpm-ostree
 Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
 
 Patch0: 0001-util-Fix-fpermissive-warning.patch
+Patch1: 0001-libpriv-postprocess-work-around-semanage-bug.patch
 
 ExclusiveArch: %{rust_arches}
 
@@ -236,6 +237,10 @@ $PYTHON autofiles.py > files.devel \
 
 %files devel -f files.devel
 %changelog
+* Wed Nov 02 2022 Jonathan Lebon <jonathan@jlebon.com> - 2022.15-3
+- Backport semanage bug workaround
+  https://github.com/coreos/rpm-ostree/pull/4122
+
 * Tue Nov 01 2022 Colin Walters <walters@verbum.org> - 2022.15-2
 - https://github.com/coreos/rpm-ostree/releases/tag/v2022.15