diff -ru serefpolicy-3.13.1.orig/policy/flask/access_vectors serefpolicy-3.13.1/policy/flask/access_vectors
--- serefpolicy-3.13.1.orig/policy/flask/access_vectors	2016-04-05 14:59:56.548712088 -0700
+++ serefpolicy-3.13.1/policy/flask/access_vectors	2016-04-05 20:29:57.981139727 -0700
@@ -925,3 +925,56 @@
 {
 	read
 }
+
+class cap_userns
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the capability2 class.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown           
+	dac_override    
+	dac_read_search 
+	fowner          
+	fsetid          
+	kill            
+	setgid           
+	setuid           
+	setpcap          
+	linux_immutable  
+	net_bind_service 
+	net_broadcast    
+	net_admin        
+	net_raw          
+	ipc_lock         
+	ipc_owner        
+	sys_module       
+	sys_rawio        
+	sys_chroot       
+	sys_ptrace       
+	sys_pacct        
+	sys_admin        
+	sys_boot         
+	sys_nice         
+	sys_resource     
+	sys_time         
+	sys_tty_config  
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+class cap2_userns
+{
+	mac_override	# unused by SELinux
+	mac_admin
+	syslog
+	wake_alarm
+	epolwakeup
+	block_suspend
+	compromise_kernel
+	audit_read
+}
diff -ru serefpolicy-3.13.1.orig/policy/flask/security_classes serefpolicy-3.13.1/policy/flask/security_classes
--- serefpolicy-3.13.1.orig/policy/flask/security_classes	2016-04-05 14:59:56.548712088 -0700
+++ serefpolicy-3.13.1/policy/flask/security_classes	2016-04-05 20:29:57.981139727 -0700
@@ -149,5 +149,8 @@
 # gssd services 
 class proxy
 
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
 
 # FLASK
diff -ru serefpolicy-3.13.1.orig/policy/modules/kernel/kernel.te serefpolicy-3.13.1/policy/modules/kernel/kernel.te
--- serefpolicy-3.13.1.orig/policy/modules/kernel/kernel.te	2016-04-05 14:59:56.567712479 -0700
+++ serefpolicy-3.13.1/policy/modules/kernel/kernel.te	2016-04-05 21:57:44.634218241 -0700
@@ -491,6 +491,9 @@
 # Rules for unconfined acccess to this module
 #
 
+allow kern_unconfined self:cap_userns all_cap_userns_perms;
+allow kern_unconfined self:cap2_userns all_cap2_userns_perms;
+
 allow kern_unconfined proc_type:{ file } ~entrypoint;
 allow kern_unconfined proc_type:{ dir lnk_file } *;