drop mac_admin and mac_override

mac_admin stops the container from loading LSM policy. Neither selinux nor apparmor currently will do well with automatic namespacing of policy (though it's coming in apparmor, after which we can re-enable this). Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

drop mac_admin and mac_override
e2268833 · Serge Hallyn · Daniel Lezcano · fdcde5b6 · e2268833
Commit e2268833 authored Jan 23, 2012 by Serge Hallyn Committed by Daniel Lezcano Feb 26, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

lxc-ubuntu.in templates/lxc-ubuntu.in +1 -1

No files found.
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -206,7 +206,7 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
-lxc.cap.drop = sys_module
+lxc.cap.drop = sys_module mac_admin mac_override
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not using the node)