diff --git a/rpm.macros b/rpm.macros
index f63f5fed..dcab0186 100644
--- a/rpm.macros
+++ b/rpm.macros
@@ -55,8 +55,10 @@ if [ -z "${_policytype}" ]; then \
   _policytype="targeted" \
 fi \
 if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+  %{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \
   %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
   %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+  %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \
 fi \
 %{nil}
 
@@ -71,8 +73,10 @@ if [ -z "${_policytype}" ]; then \
 fi \
 if [ $1 -eq 0 ]; then \
   if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    %{_sbindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun \
     %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
     %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
+    %{_libexecdir}/selinux/varrun-convert.sh ${_policytype} \
   fi \
 fi \
 %{nil}
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ce9ba89f..856fa68d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -407,6 +407,17 @@ if posix.stat(config_file) then \
     bf:close() \
 end
 
+# Remove the local_varrun SELinux module
+%define removeVarrunModule() \
+if [ -r "%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil" ]; then \
+  %{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
+fi;
+
+%define removeVarrunModuleLua() \
+if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
+  os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
+end
+
 %build
 
 %prep
@@ -580,6 +591,7 @@ SELinux targeted policy package.
 
 %pretrans targeted -p <lua>
 %backupConfigLua
+%removeVarrunModuleLua targeted
 
 %pre targeted
 %preInstall targeted
@@ -615,10 +627,34 @@ exit 0
 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
 exit 0
 
+%triggerprein -- container-selinux
+%removeVarrunModule targeted
+exit 0
+
+%triggerprein -- pcp-selinux
+%removeVarrunModule targeted
+exit 0
+
+%triggerpostin -- container-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
+%triggerpostin -- pcp-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
 %triggerpostun -- selinux-policy-targeted < 3.12.1-74
 rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
 exit 0
 
+%triggerpostun -- pcp-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
+%triggerpostun -- container-selinux
+%{_libexecdir}/selinux/varrun-convert.sh targeted
+exit 0
+
 %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
 CR=$'\n'
 INPUT=""