Comment 6 for bug 1648143

This occurs in a stacked policy situation, where there is a system policy is being applied but within the container namespace, the policy is unconfined.

The special casing for unconfined with no-new-privs is not properly detecting this case. I will have a test kernel with a fix for this issue early next week.