diff --git a/build/build-iso.sh b/build/build-iso.sh
index cb3c564..a430efc 100755
--- a/build/build-iso.sh
+++ b/build/build-iso.sh
@@ -19,12 +19,23 @@ if command -v ksvalidator &>/dev/null; then
     ksvalidator "$KS"
 fi
 
-# ── Build container ──
+# ── Build container (rootless OK) ──
 podman build -t veilor-build:latest "$REPO_ROOT/build"
 
-# ── Build ISO ──
-# --make-iso requires --privileged (loop devices, mount).
-podman run --rm --privileged \
+# ── Build ISO (rootful — losetup + mount need real CAP_SYS_ADMIN) ──
+# rootless podman can't create loop devices even with --privileged because the
+# host kernel rejects CAP_SYS_ADMIN from a user namespace.
+SUDO=""
+if [[ $EUID -ne 0 ]]; then
+    SUDO="sudo"
+    echo "[INFO] Running ISO build under sudo (loop devices require root)"
+fi
+
+# Make rootful podman see the rootless-built image
+$SUDO podman load -i <(podman save veilor-build:latest) 2>/dev/null || \
+    $SUDO podman build -t veilor-build:latest "$REPO_ROOT/build"
+
+$SUDO podman run --rm --privileged \
     --security-opt label=disable \
     -v /dev:/dev \
     -v "$REPO_ROOT:/work" \