diff --git a/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml b/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ba05e94348cb7a88f462065ca198430abf122ad7
--- /dev/null
+++ b/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
@@ -0,0 +1,62 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: fedora-install-iscsi-hotfix
+ namespace: system-upgrade
+type: Opaque
+stringData:
+ iscsid_hotfix.te: |
+ module iscsid_hotfix 1.0;
+
+ require {
+ type iscsid_t;
+ class capability dac_override;
+ }
+
+ #============= iscsid_t ==============
+ allow iscsid_t self:capability dac_override;
+
+ install.sh: |
+ #!/bin/sh
+ set -e
+ set -x
+ secrets="$(dirname $0)"
+ semodule_dir="$(mktemp -d)"
+
+ systemd-run --same-dir --wait --collect --service-type=exec dnf install -y selinux-policy-devel
+ systemd-run --same-dir --wait --collect --service-type=exec checkmodule -M -m -o "${semodule_dir}/iscsid_hotfix.mod" "$secrets/iscsid_hotfix.te"
+ systemd-run --same-dir --wait --collect --service-type=exec semodule_package -o "${semodule_dir}/iscsid_hotfix.pp" "${semodule_dir}/iscsid_hotfix.mod"
+ systemd-run --same-dir --wait --collect --service-type=exec semodule -i "${semodule_dir}/iscsid_hotfix.pp"
+
+
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+ name: fedora-iscsi-hotfix
+ namespace: system-upgrade
+spec:
+ concurrency: 1
+ nodeSelector:
+ matchExpressions:
+ - key: feature.node.kubernetes.io/system-os_release.ID
+ operator: In
+ values:
+ - fedora
+ - key: feature.node.kubernetes.io/system-os_release.VERSION_ID.major
+ operator: In
+ values:
+ - "35"
+ - "36"
+ - "37"
+ serviceAccountName: system-upgrade
+ secrets:
+ - name: fedora-install-iscsi-hotfix
+ path: /host/run/system-upgrade/secrets/fedora
+ version: 1.0.0
+ upgrade:
+ image: quay.io/fedora/fedora:36
+ command: ["chroot", "/host"]
+ args: ["sh", "/run/system-upgrade/secrets/fedora/install.sh"]
+