diff --git a/Makefile-rpm-ostree.am b/Makefile-rpm-ostree.am
index bbeee118..c3c8db21 100644
--- a/Makefile-rpm-ostree.am
+++ b/Makefile-rpm-ostree.am
@@ -15,7 +15,7 @@
 # Free Software Foundation, Inc., 59 Temple Place - Suite 330,
 # Boston, MA 02111-1307, USA.
 
-privlib_SCRIPTS =
+privlib_SCRIPTS = src/rpmqa-sorted-and-clean
 
 bin_PROGRAMS += rpm-ostree
 
diff --git a/src/rpmostree-compose-builtin-tree.c b/src/rpmostree-compose-builtin-tree.c
index 325ebf97..79a7f9be 100644
--- a/src/rpmostree-compose-builtin-tree.c
+++ b/src/rpmostree-compose-builtin-tree.c
@@ -780,12 +780,16 @@ compute_checksum_for_compose (JsonObject   *treefile_rootval,
     json_node_free (treefile_rootnode);
   }
 
+  /* Query the generated rpmdb, to see if anything has changed. */
   {
     int estatus;
-    /* Ugly but it works... */
-    gs_free char *rpmqa_shell = g_strdup_printf ("rpm --dbpath=%s/var/lib/rpm -qa | sort -u",
-                                                 gs_file_get_path_cached (yumroot));
-    const char *rpmqa_argv[] = { "/bin/sh", "-c", rpmqa_shell, NULL };
+    gs_free char *yumroot_var_lib_rpm =
+      g_build_filename (gs_file_get_path_cached (yumroot),
+                        "var/lib/rpm",
+                        NULL);
+    const char *rpmqa_argv[] = { PKGLIBDIR "/rpmqa-sorted-and-clean",
+                                 yumroot_var_lib_rpm,
+                                 NULL };
     gs_free char *rpmqa_result = NULL;
 
     if (!g_spawn_sync (NULL, (char**)rpmqa_argv, NULL,
@@ -793,12 +797,16 @@ compute_checksum_for_compose (JsonObject   *treefile_rootval,
                        &rpmqa_result, NULL, &estatus, error))
       goto out;
     if (!g_spawn_check_exit_status (estatus, error))
-      goto out;
+      {
+        g_prefix_error (error, "Executing %s: ",
+                        rpmqa_argv[0]);
+        goto out;
+      }
 
     if (!*rpmqa_result)
       {
         g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
-                     "Empty result from %s", rpmqa_shell);
+                     "Empty result from %s", rpmqa_argv[0]);
         goto out;
       }
     
diff --git a/src/rpmqa-sorted-and-clean b/src/rpmqa-sorted-and-clean
new file mode 100755
index 00000000..683601b6
--- /dev/null
+++ b/src/rpmqa-sorted-and-clean
@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# An ugly shell script to get the sorted output of "rpm -qa", and also
+# ensure that leftover __db files are deleted afterwards.  This helps
+# avoid things like SELinux policy denials from processes that try to
+# write to the lock file if it exists (as they'd try to write to
+# usr_t).
+#
+# Copyright (C) 2014 Colin Walters <walters@verbum.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation; either version 2 of the licence or (at
+# your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General
+# Public License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+# Boston, MA 02111-1307, USA.
+
+set -e
+dbpath=$1
+test -n "$dbpath" || (echo 1>&2 "usage: $0 DBPATH"; exit 1)
+shift
+set -o pipefail
+rpm --dbpath=${dbpath} -qa | sort
+set +o pipefail
+rm -f ${dbpath}/__db.* ${dbpath}/{.dbenv,.rpm}.lock
+