From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Mon, 23 Jan 2012 17:57:59 +0000 (-0600)
Subject: drop mac_admin and mac_override
X-Git-Tag: lxc-0.8.0-rc2~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e226883316ad028a9dbc048af4849082e940033f;p=thirdparty%2Flxc.git

drop mac_admin and mac_override

mac_admin stops the container from loading LSM policy.  Neither
selinux nor apparmor currently will do well with automatic namespacing
of policy (though it's coming in apparmor, after which we can re-enable
this).

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 8a413ff4d..ba601edc5 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -206,7 +206,7 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
-lxc.cap.drop = sys_module
+lxc.cap.drop = sys_module mac_admin mac_override
 
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not using the node)