diff --git a/core/dbox.go b/core/dbox.go
index 263dc916..7fc0e9f3 100644
--- a/core/dbox.go
+++ b/core/dbox.go
@@ -86,6 +86,13 @@ func (d *dbox) RunCommand(command string, args []string, engineFlags []string, u
 	// ignored in commands like "enter"
 	finalArgs := []string{command}
 
+	// NOTE: for engine-specific commands, we need to use pkexec for rootfull
+	//		 containers, since podman does not offer a dedicated flag for this.
+	if rootFull && useEngine {
+		entrypoint = "pkexec"
+		finalArgs = []string{d.EngineBinary, command}
+	}
+
 	cmd := exec.Command(entrypoint, finalArgs...)
 
 	if !captureOutput && !muteOutput {
@@ -115,7 +122,7 @@ func (d *dbox) RunCommand(command string, args []string, engineFlags []string, u
 
 	// NOTE: the root flag is not being used by the Apx CLI, but it's useful
 	//		 for those using Apx as a library, e.g. VSO.
-	if rootFull {
+	if rootFull && !useEngine {
 		cmd.Args = append(cmd.Args, "--root")
 	}
 
diff --git a/core/subSystem.go b/core/subSystem.go
index a6dc0afb..e04dd1ee 100644
--- a/core/subSystem.go
+++ b/core/subSystem.go
@@ -128,6 +128,10 @@ func (s *SubSystem) Create() error {
 		labels["hasInit"] = "true"
 	}
 
+	if s.IsUnshared {
+		labels["unshared"] = "true"
+	}
+
 	err = dbox.CreateContainer(
 		s.InternalName,
 		s.Stack.Base,
@@ -167,6 +171,8 @@ func LoadSubSystem(name string, isRootFull bool) (*SubSystem, error) {
 		Status:       container.Status,
 		HasInit:      container.Labels["hasInit"] == "true",
 		IsManaged:    container.Labels["managed"] == "true",
+		IsRootfull:   isRootFull,
+		IsUnshared:   container.Labels["unshared"] == "true",
 	}, nil
 }