diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5a613c..58bb538 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -342,6 +342,58 @@ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
 #install -m 644 -p %{SOURCE101} %{buildroot}/%{_unitdir}/ \
 #ln -s ../selinux-factory-reset@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service
 
+# Make sure the config is consistent with what packages are installed in the system
+# this covers cases when system is installed with selinux-policy-{mls,minimal}
+# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
+# been rebooted yet.
+# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
+# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
+# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
+# Steps:
+# * load values from config and its backup
+# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
+# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
+# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
+%define checkConfigConsistency() \
+. %{_sysconfdir}/selinux/config; \
+if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
+     . %{_sysconfdir}/selinux/.config_backup; \
+else \
+     BACKUP_SELINUXTYPE=targeted; \
+fi; \
+if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
+     if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
+          sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
+     fi; \
+elif [ "%1" = "targeted" ]; then \
+     if [ "%1" != "$SELINUXTYPE" ]; then \
+          sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
+     fi; \
+elif ! ls  %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
+     if [ "%1" != "$SELINUXTYPE" ]; then \
+          sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
+     fi; \
+fi;
+
+# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
+# of variables inside so that they are easy to use later
+# This should be done in "pretrans" because config content can change during RPM operations
+# The macro has to be used in a script slot with "-p <lua>"
+%define backupConfigLua() \
+local sysconfdir = rpm.expand("%{_sysconfdir}") \
+local config_file = sysconfdir .. "/selinux/config" \
+local config_backup = sysconfdir .. "/selinux/.config_backup" \
+os.remove(config_backup) \
+if posix.stat(config_file) then \
+    local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
+    local content = f:read("*all") \
+    f:close() \
+    local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
+    local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
+    bf:write(backup) \
+    bf:close() \
+end
+
 %build
 
 %prep 
@@ -385,7 +437,7 @@ cp %{SOURCE28} %{buildroot}/
 %makeModulesConf targeted base contrib
 %installCmds targeted mcs n allow
 # install permissivedomains.cil
-semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil
+semodule -p %{buildroot} -X 100 -s targeted -i %{buildroot}/permissivedomains.cil
 rm -rf %{buildroot}/permissivedomains.cil
 # recreate sandbox.pp
 rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
@@ -501,13 +553,20 @@ Conflicts: container-selinux < 2:1.12.1-22
 %description targeted
 SELinux Reference policy targeted base module.
 
+%pretrans targeted -p <lua>
+%backupConfigLua
+
 %pre targeted
 %preInstall targeted
 
 %post targeted
+%checkConfigConsistency targeted
 %postInstall $1 targeted
 exit 0
 
+%posttrans targeted
+%checkConfigConsistency targeted
+
 %postun targeted
 if [ $1 = 0 ]; then
     source /etc/selinux/config
@@ -573,6 +632,9 @@ Conflicts: container-selinux <= 1.9.0-9
 %description minimum
 SELinux Reference policy minimum base module.
 
+%pretrans minimum -p <lua>
+%backupConfigLua
+
 %pre minimum
 %preInstall minimum
 if [ $1 -ne 1 ]; then
@@ -580,6 +642,7 @@ if [ $1 -ne 1 ]; then
 fi
 
 %post minimum
+%checkConfigConsistency minimum
 contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
 basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
 if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
@@ -611,6 +674,9 @@ done
 fi
 exit 0
 
+%posttrans minimum
+%checkConfigConsistency minimum
+
 %postun minimum
 if [ $1 = 0 ]; then
     source /etc/selinux/config
@@ -668,13 +734,20 @@ Conflicts: container-selinux <= 1.9.0-9
 %description mls 
 SELinux Reference policy mls base module.
 
+%pretrans mls -p <lua>
+%backupConfigLua
+
 %pre mls 
 %preInstall mls
 
 %post mls 
+%checkConfigConsistency mls
 %postInstall $1 mls
 exit 0
 
+%posttrans mls
+%checkConfigConsistency mls
+
 %postun mls
 if [ $1 = 0 ]; then
     source /etc/selinux/config