sepolicy/common/createns.te

# Network namespace creation
type createns, domain;
type createns_exec, exec_type, vendor_file_type, file_type;

init_daemon_domain(createns)

allow createns self:capability { sys_admin net_raw setuid setgid };
allow createns varrun_file:dir { add_name search write };
allow createns varrun_file:file { create mounton open read write };

#Allow createns itself to be run by init in its own domain
domain_auto_trans(goldfish_setup, createns_exec, createns);
allow createns goldfish_setup:fd use;