Failed Presence/IM&P upgrade

Attempted CUP/IM&P upgrade from 8.6(4) to 10.5(2)a but ended up with failed refresh upgrade (RU) and system booting back to 8.6.

Investigating install.log shows the following;

03/24/2015 02:13:32 IPM|Internal Error, File:ipm.c:2011, Function: ipmReadNormalizedInputLine(), "/usr/local/cm/script/cm-dbl-install RU PostInstall 10.5.2.20000-1 8.6.4.10000-28 /usr/local/cm/ /common/component/database /common/log/install/capture.txt " failed (1)|<LVL::Critical>
03/23/2015 18:13:34 InstallWizard|Platform Install: view|<LVL::Info>
03/24/2015 02:13:34 IPM| end-of-session "Installing database component": 4387.198 secs.|<LVL::Info>
03/24/2015 02:13:34 IPM|Close progress meter "Component Install"|<LVL::Info>
03/24/2015 02:13:34 component_install|Writing database into /common/log/install/component_failed.xml file.|<LVL::Info>
03/24/2015 02:13:34 component_install|/common/log/install/component_failed.xml created : 0|<LVL::Info>
...
03/24/2015 02:13:34 component_install|File:/opt/cisco/install/bin/component_install:807, Function: exec_progmeter(), /opt/cisco/install/bin/progmeter failed (1)|<LVL::Error>
03/24/2015 02:13:34 appmanager.sh|Internal Error, File:/usr/local/bin/base_scripts/appmanager.sh:273, Function: refresh_upgrade(), failed to refresh_upgrade infrastructure_post components|<LVL::Critical>
03/24/2015 02:13:34 post_install|File:/opt/cisco/install/bin/post_install:961, Function: install_applications(), /usr/local/bin/base_scripts/appmanager.sh -refresh-upgrade failed (1)|<LVL::Error>
03/24/2015 02:13:34 post_install|Exiting with result 1|<LVL::Info>
...
03/24/2015 02:13:38 post_install|_set_upgrade_status_attribute: status set to upgrade.stage.error|<LVL::Debug>
03/24/2015 02:13:38 post_install|File:/opt/cisco/install/bin/post_install:624, Function: handle_refresh_upgrade_failure(), Refresh upgrade failed. Trying to reboot to currently active version.|<LVL::Error>

Investigating syslog/messages on the INACTIVE partition after the RU failure shows multiple avc denials, similar to the following examples;

Mar 23 18:12:01 HOSTNAME kern 6 kernel:SELinux:  Context admin_u:object_r:cli_tmp_t:s0 is not valid (left unmapped).
Mar 23 18:12:01 HOSTNAME kern 5 kernel:type=1400 audit(1427159521.658:796866): avc:  denied  { getattr } for  pid=1842 comm="installdb" path="/common/log/install/downloaded_versions" dev=sda6 ino=1769674 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:12:03 HOSTNAME kern 5 kernel:type=1400 audit(1427159523.390:796867): avc:  denied  { setattr } for  pid=2085 comm="chown" name="drfuser" dev=sda1 ino=612031 scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Mar 23 18:13:16 HOSTNAME kern 5 kernel:type=1400 audit(1427159596.820:796876): avc:  denied  { ioctl } for  pid=6070 comm="sftp_connect.sh" path="/home/sftpuser/sftp_connect.sh" dev=sda1 ino=612018 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.576:796877): avc:  denied  { remove_name } for  pid=1842 comm="installdb" name="sqlhosts_9BoX7x" dev=sda1 ino=612082 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.576:796878): avc:  denied  { unlink } for  pid=1842 comm="installdb" name="sqlhosts_9BoX7x" dev=sda1 ino=612082 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.841:796879): avc:  denied  { getattr } for  pid=6158 comm="cupl2_new.py" path="/common/component/database/cupl2.export" dev=sda6 ino=1000180 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Mar 23 18:13:26 HOSTNAME kern 5 kernel:type=1400 audit(1427159606.851:796880): avc:  denied  { getattr } for  pid=6158 comm="cupl2_new.py" path="/common/component/database/cupl2.export/dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.036:796881): avc:  denied  { read } for  pid=6310 comm="installdb" name="dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.036:796882): avc:  denied  { open } for  pid=6310 comm="installdb" name="dependency.txt" dev=sda6 ino=1000181 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:30 HOSTNAME kern 5 kernel:type=1400 audit(1427159610.246:796883): avc:  denied  { write } for  pid=6333 comm="rm" name="cupl2.export" dev=sda6 ino=1000180 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796889): avc:  denied  { read } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612062 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796890): avc:  denied  { open } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612062 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:32 HOSTNAME kern 5 kernel:type=1400 audit(1427159612.023:796891): avc:  denied  { write } for  pid=6563 comm="cp" name="id_dsa.pub" dev=sda1 ino=612071 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.949:796893): avc:  denied  { create } for  pid=8184 comm="sed" name="sedYOAA0s" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.949:796894): avc:  denied  { write } for  pid=8184 comm="sed" name="sedYOAA0s" dev=sda6 ino=1769710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Mar 23 18:13:34 HOSTNAME kern 5 kernel:type=1400 audit(1427159614.950:796895): avc:  denied  { rename } for  pid=8184 comm="sed" name="sedYOAA0s" dev=sda6 ino=1769710 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

Workaround;
This does not seem to be documented, but with the bad feeling from avc denials – applying workaround from similar bugs – CSCul25056 and CSCue18397 did the trick. Boot to a linux-disc and modify grub.conf to include enforcing=0.