-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think we need the kernel to start checking container Capabilities rather then system capabilities. I would like to be able to say something like allow svirt_lxc_net_t self:nscapability sys_admin; This way we can use MAC to better control break out of user namespace. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+ h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs =g8UL -----END PGP SIGNATURE----- _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
