I'm working on a bootc-managed system build off of RHEL 10. The Containerfile applies STIG-mandated configuration changes, in particular, telling sudo to elevate the selinux context to sysadm_t and sysadm_r when becoming root (https://www.stigviewer.com/stigs/red_hat_enterprise_linux_10/2026-03-11/finding/V-281250). The non-root user is configured to login with staff_u.
The end result is that rather than having an unconfined root user:
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ sudo -i
[sudo] password for foobar:
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I instead have this:
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ sudo -i
[sudo] password for foobar:
# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
Unfortunately, this prevents bootc from working entirely:
# bootc status
error: Status: Initializing storage: Acquiring sysroot: Remounting /sysroot read-write: Permission denied
The cause is this AVC denial:
node=localhost type=PROCTITLE msg=audit(1777928077.035:495): proctitle=2F746D702F2E746D7033614575724D00737461747573
node=localhost type=PATH msg=audit(1777928077.035:495): item=0 name="/sysroot" inode=128 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
node=localhost type=CWD msg=audit(1777928077.035:495): cwd="/var/roothome"
node=localhost type=SYSCALL msg=audit(1777928077.035:495): arch=c000003e syscall=165 success=no exit=-13 a0=7f2e068fac7d a1=7f2e068fac7d a2=0 a3=200020 items=1 ppid=1849 pid=1857 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="tokio-runtime-w" exe=2F746D702F2E746D7033614575724D202864656C6574656429 subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key="export"
node=localhost type=AVC msg=audit(1777928077.035:495): avc: denied { remount } for pid=1857 comm="tokio-runtime-w" scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
I was able to work around this by applying the following CIL rule in the Containerfile:
allow sysadm_t fs_t (filesystem (remount)))
That seems like it's probably overly broad, but I don't understand selinux well enough to say for sure :). In any case, this feels like something that should come out of the box.
EDIT: bootc usr-overlay also requires mount permissions for fs_t.
I'm working on a bootc-managed system build off of RHEL 10. The Containerfile applies STIG-mandated configuration changes, in particular, telling sudo to elevate the selinux context to
sysadm_tandsysadm_rwhen becoming root (https://www.stigviewer.com/stigs/red_hat_enterprise_linux_10/2026-03-11/finding/V-281250). The non-root user is configured to login withstaff_u.The end result is that rather than having an unconfined root user:
I instead have this:
Unfortunately, this prevents bootc from working entirely:
The cause is this AVC denial:
I was able to work around this by applying the following CIL rule in the Containerfile:
That seems like it's probably overly broad, but I don't understand selinux well enough to say for sure :). In any case, this feels like something that should come out of the box.
EDIT:
bootc usr-overlayalso requiresmountpermissions forfs_t.