diff --git a/private/access_vectors b/private/access_vectors
index efd4924b5ca1b40988bc8f843f6ab0bba29e55f8..875d7ba1fd4069cb1d5b8fbc2912667a31ba28ad 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -76,6 +76,60 @@ common ipc
 	unix_write
 }
 
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+	# The capabilities are defined in include/linux/capability.h
+	# Capabilities >= 32 are defined in the cap2 common.
+	# Care should be taken to ensure that these are consistent with
+	# those definitions. (Order matters)
+
+	chown
+	dac_override
+	dac_read_search
+	fowner
+	fsetid
+	kill
+	setgid
+	setuid
+	setpcap
+	linux_immutable
+	net_bind_service
+	net_broadcast
+	net_admin
+	net_raw
+	ipc_lock
+	ipc_owner
+	sys_module
+	sys_rawio
+	sys_chroot
+	sys_ptrace
+	sys_pacct
+	sys_admin
+	sys_boot
+	sys_nice
+	sys_resource
+	sys_time
+	sys_tty_config
+	mknod
+	lease
+	audit_write
+	audit_control
+	setfcap
+}
+
+common cap2
+{
+	mac_override	# unused by SELinux
+	mac_admin	# unused by SELinux
+	syslog
+	wake_alarm
+	block_suspend
+	audit_read
+}
+
 #
 # Define the access vectors.
 #
@@ -330,59 +384,14 @@ class system
 }
 
 #
-# Define the access vector interpretation for controling capabilies
+# Define the access vector interpretation for controlling capabilities
 #
 
 class capability
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the capability2 class.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
-
-	chown
-	dac_override
-	dac_read_search
-	fowner
-	fsetid
-	kill
-	setgid
-	setuid
-	setpcap
-	linux_immutable
-	net_bind_service
-	net_broadcast
-	net_admin
-	net_raw
-	ipc_lock
-	ipc_owner
-	sys_module
-	sys_rawio
-	sys_chroot
-	sys_ptrace
-	sys_pacct
-	sys_admin
-	sys_boot
-	sys_nice
-	sys_resource
-	sys_time
-	sys_tty_config
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
+inherits cap
 
 class capability2
-{
-	mac_override	# unused by SELinux
-	mac_admin	# unused by SELinux
-	syslog
-	wake_alarm
-	block_suspend
-	audit_read
-}
+inherits cap2
 
 #
 # Extended Netlink classes
@@ -543,6 +552,17 @@ inherits socket
 class netlink_crypto_socket
 inherits socket
 
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
 class property_service
 {
 	set
diff --git a/private/security_classes b/private/security_classes
index 19fd5db3699532a2f6fd0182cc16777d3e833eba..abd9cbea7effcf1acd9c38a49291101b25063f80 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -94,6 +94,10 @@ class netlink_scsitransport_socket
 class netlink_rdma_socket
 class netlink_crypto_socket
 
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
 # Property service
 class property_service          # userspace