diff options
| author |   Serge Hallyn <serge.hallyn@canonical.com> | 2012-01-23 11:57:59 -0600 |
|---|---|---|
| committer |   Daniel Lezcano <daniel.lezcano@free.fr> | 2012-02-26 10:44:40 +0100 |
| commit | e226883316ad028a9dbc048af4849082e940033f (patch) | |
| tree | 8b52d342e82b843d1e0fd5122a76028106dd60b9 | |
| parent | Add new 'precise' release to ubuntu template (diff) | |
| download | lxc-e226883316ad028a9dbc048af4849082e940033f.tar.gz lxc-e226883316ad028a9dbc048af4849082e940033f.tar.bz2 lxc-e226883316ad028a9dbc048af4849082e940033f.zip | |
drop mac_admin and mac_override
mac_admin stops the container from loading LSM policy. Neither
selinux nor apparmor currently will do well with automatic namespacing
of policy (though it's coming in apparmor, after which we can re-enable
this).
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
| -rw-r--r-- | templates/lxc-ubuntu.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 8a413ff..ba601ed 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -206,7 +206,7 @@ lxc.pts = 1024 lxc.rootfs = $rootfs lxc.mount = $path/fstab lxc.arch = $arch -lxc.cap.drop = sys_module +lxc.cap.drop = sys_module mac_admin mac_override lxc.cgroup.devices.deny = a # Allow any mknod (but not using the node) |