From e226883316ad028a9dbc048af4849082e940033f Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@canonical.com>
Date: Mon, 23 Jan 2012 11:57:59 -0600
Subject: drop mac_admin and mac_override

mac_admin stops the container from loading LSM policy.  Neither
selinux nor apparmor currently will do well with automatic namespacing
of policy (though it's coming in apparmor, after which we can re-enable
this).

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
 templates/lxc-ubuntu.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 8a413ff..ba601ed 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -206,7 +206,7 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
-lxc.cap.drop = sys_module
+lxc.cap.drop = sys_module mac_admin mac_override
 
 lxc.cgroup.devices.deny = a
 # Allow any mknod (but not using the node)
-- 
cgit v1.2.3-65-gdbad