A broken rpm-plugin-selinux package on Oracle Linux 8 will cause SELinux based package updates to fail. This package was on the Oracle Linux 8 repositories for a short period of time before being fixed. If this broken package was installed during this time frame any future updates of packages that include SELinux policies will fail during unpacking. This issue is most likely to have occurred on systems with automatic updates enabled. If the Pritunl package is updated in this state the old files will be removed from the system and the new files will fail to unpack. The Pritunl server will continue to run but will show the error OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /usr/lib/pritunl/lib/python3.6/site-packages/certifi/cacert.pem when attempting to load this file that will be removed. The issue must be fixed manually by running the commands below to fix this package, once fixed updates can be completed and the software will resume working. This issue is fully documented on the Oracle Support Knowledge Doc ID 3002168.1.
Commands to fix issue if SSH is accessible
sudo rpm -e --nodeps rpm-plugin-selinux
sudo dnf -y install rpm-plugin-selinux
sudo dnf -y update
Cloud Init commands to fix after SSH is inaccessible
If automatic updates are enabled the openssh-server package will get updated and fail to unpack. This will cause the error Connection closed by remote host and Connection reset by. Once this occurs a startup script must be run to fix the package. Below is a Cloud Init script to fix the issue.
To fix this on AWS after the SSH server is inaccessible stop the instance. Then click Instance settings → Edit user data and add the script below.
while ! ping -c1 google.com &>/dev/null; do echo "Waiting for network..."; sleep 1; done
rpm -e --nodeps rpm-plugin-selinux
dnf -y install rpm-plugin-selinux
dnf -y update