> The capable() function only suceeds in the primary host namespace. > > The kernel uses ns_capable() in cases where container namespaces > are allowed to use capabilities. > > So this indicates that the kernel guys didn't believe it to be > safe to allow use of the 'trusted' xattr namespace in containers. > > That said, I didn't think the 'trusted.' prefix was needed for > package installation. It thought it used the 'security.' xattr > prefix for file ACLs. the trusted.* prefix was for testing, because it checks also at reading the attributes. security.capability is used for setcap http://lxr.free-electrons.com/source/security/commoncap.c#L620 but it also use capable() setfacl works fine /stephan -- Software is like sex, it's better when it's free! -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list