[Podman] ro sysfs doesn't affect spc_t?

Hey team, I've got some odd behavior on a podman in Openshift use case I am trying to figure out. I am trying to run podman in openshift without privilege, extra capabilities and ideally a custom SELinux label that isn't `spc_t`. I have managed to adapt the `container_engine_t` type to get past any denials, but now I'm hitting an issue where the sysfs of the container is read only: I am running with this yaml: ``` apiVersion: v1 kind: Pod metadata: name: no-priv annotations: io.kubernetes.cri-o.Devices: "/dev/fuse" spec: containers: - name: no-priv-rootful image: quay.io/podman/stable args: - sleep - "1000000" securityContext: runAsUser: 1000 seLinuxOptions: type: "container_engine_t" ``` and using a container-selinux based on https://github.com/haircommander/container-selinux/tree/engine_t-improvem... when I run this container, and then run podman inside, I get this error: ``` $ oc exec -ti pod/no-priv-rootful -- bash [podman@no-priv-rootful /]$ podman run ubi8 ls WARN[0005] Path "/run/secrets/etc-pki-entitlement" from "/etc/containers/mounts.conf" doesn't exist, skipping Error: crun: set propagation for `sys`: Permission denied: OCI permission denied ``` What I find odd, and what is the subject of this email, is that when I adapt the selinux label to be "spc_t": ``` type: "spc_t" ``` the container runs fine. There are no denials in AVC when I run `container_engine_t`, but clearly something is different. Can anyone help me identify what is happening? Thanks Peter -- Peter Hunt, RHCE They/Them or He/Him Senior Software Engineer, Openshift Red Hat <https://www.redhat.com> <https://www.redhat.com>