drop mac_admin and mac_override

mac_admin stops the container from loading LSM policy.  Neither
selinux nor apparmor currently will do well with automatic namespacing
of policy (though it's coming in apparmor, after which we can re-enable
this).

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 8a413ff4dc0ece64418dc857109893e1ba121911..ba601edc5dd17f3a578c229d1beee1ac7a1776a2 100644 (file)
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -206,7 +206,7 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
-lxc.cap.drop = sys_module
+lxc.cap.drop = sys_module mac_admin mac_override
 
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not using the node)