Just to blow everyone's minds: The first thought that came to me was that the only way to make this useful is to actually put a label on the user namespace. If I create a container, and then a container inside that container, I'd think selinux should be able to control the capabilities at the second level down. Dan's only asking about one level down... On Wed, Jan 15, 2014 at 4:04 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I think we need the kernel to start checking container Capabilities rather > then system capabilities. > > I would like to be able to say something like > > allow svirt_lxc_net_t self:nscapability sys_admin; > > This way we can use MAC to better control break out of user namespace. > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+ > h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs > =g8UL > -----END PGP SIGNATURE----- > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.