Does your policy grant 'k' permissions to the file in question?
If it does, it might be worth trying to prepare a reproducer with just overlayfs, none of the container stuff; stacking filesystems are awkward at best (I thought we had a bug for overlayfs, but my firefox history isn't being helpful, so now I'm doubting my memory) and it might be possible to reproduce this with a five-line shell script and overlayfs alone.
Does your policy grant 'k' permissions to the file in question?
If it does, it might be worth trying to prepare a reproducer with just overlayfs, none of the container stuff; stacking filesystems are awkward at best (I thought we had a bug for overlayfs, but my firefox history isn't being helpful, so now I'm doubting my memory) and it might be possible to reproduce this with a five-line shell script and overlayfs alone.
Thanks