I updated fedora from 31 to 33, skipping 32 because I live on the edge.
When I tried using DNF, fedora spewed this on stderr warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
Sweet, no worries! A swift search and you find this advice
In some circumstances [*] users may see messages like “warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.” This is a harmless indication that rpm configuration and what’s on disk disagree. It can be silenced either by running rpmdb –rebuilddb to convert the database to match configuration, or by overriding configuration to match what is on disk (see above).
https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb
Great! I ran rpmdb --rebuilddb and it returned quickly. Running more dnf commands, though, continued giving the same error.
I checked journalctl and found the following errors
AVC avc: denied { read } for pid=12602 comm="rpmdb" name="resolv.conf" dev="dm-0" ino=1966429 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0
AVC avc: denied { open } for pid=12906 comm="rpmdb" path="/var/lib/rpm/.rpm.lock" dev="dm-0" ino=799036 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
AVC avc: denied { lock } for pid=13224 comm="rpmdb" path="/var/lib/rpm/.rpm.lock" dev="dm-0" ino=799036 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
I noticed that the errors say the command causing the errors is rpmdb, which is exactly what I was hoping to find. Perfect! I searched for “AVC avc: denied” and found a link to this fantastic page on the gentoo wiki explaining what I was reading https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
From there, I knew I needed to allow the rpmdb command the permissions that were being denied. I saw that audit2allow seemed to be a command I needed to allow these permissions. The man page lists the purpose of the command as
audit2allow - generate SELinux policy allow/dontaudit rules from logs of denied operations
I copy and pasted the errors from journalctl into a temporary file I called temp.pp, using audit2allow to create a module I called rpmdb and then installed the module into selinux, reran the rpmdb command and repeated the process until I’d dealt with all of the errors.
audit2allow -M rpmdb < temp.pp semodule -i rpmdb.pp
As an experiment, I tried repeatedly adding the rules to the same temp file and re-adding the temp file with the same audit2allow/semodule commands, worked perfectly.
Reading the man page for audit2allow and this page https://danwalsh.livejournal.com/24750.html (linked to from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-fixing_problems-allowing_access_audit2allow), I’m pretty sure I didn’t need to use the temp file.
Once all the errors were dealt with, the rpmdb rebuilt just fine to
Jam and Bees 
Maybe you just needed to run:
`restorecon -v /var/lib/rpm/.rpm.lock`
`Relabeled /var/lib/rpm/.rpm.lock from system_u:object_r:unlabeled_t:s0 to system_u:object_r:rpm_var_lib_t:s0`
This works. Also needed
restorecon -v /var/lib/rpm/Packages
This is cool, thank you!