Ben Cressey

@mcanevet this is a clever piece of design (and implementation!) work. For the remaining difficulty, I don't have an equally clever idea. One very easy approach would be to add...

You may be running into a variation of the behavior discussed [here](https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/980052bd8cc53c90189ddb15ce7611a43ac0d2ab/packages/selinux-policy/rules.cil#L149): > For overlayfs, the mounting process credentials are saved and used for subsequent access checks from other processes,...

> It still seems that nfsd is still attempting to check the permissions [...] I need to set up a repro case locally to try to understand what's going on...

Hey Liam - I've been able to repro the issue using the steps you provided. Thanks for the detailed instructions. Despite what I wrote earlier, there doesn't seem to be...

> I don't know enough about SELinux to tell if that's a terrible idea or not, or if that's even possible. I think we can probably close this for now,...

I have this working now, or at least I think I do. I need to write some additional test cases but hope to have the policy change up for review...

The fix for this should be coming in 1.27.0, which is expected to be released this week.

This was fixed in [1.21.1](https://github.com/bottlerocket-os/bottlerocket/issues/4148), a few releases ago.

> the `BOTTLEROCKET-PRIVATE` partition is inexplicably mounted after `BOTTLEROCKET-DATA` The drawbacks of this weren't apparent at the outset, back when there were just the `aws-*` AMIs and the initial settings...

The first part of making this work is to use the "self exec" trick: ``` [ssm-user@control]$ apiclient exec control bash bash-4.2# ls /.bottlerocket/support/ ``` But there needs to be a...