This occurs in a stacked policy situation, where there is a system policy is being applied but within the container namespace, the policy is unconfined.
The special casing for unconfined with no-new-privs is not properly detecting this case. I will have a test kernel with a fix for this issue early next week.
This occurs in a stacked policy situation, where there is a system policy is being applied but within the container namespace, the policy is unconfined.
The special casing for unconfined with no-new-privs is not properly detecting this case. I will have a test kernel with a fix for this issue early next week.