skip cap_userns tests on distros that disable CLONE_NEWUSER

[jstancek]

RHEL7 [1] (and possibly other distros) disable CLONE_NEWUSER by default. This series adds a check to see if simple clone(CLONE_NEWUSER) works, if not cap_userns tests are skipped.

We didn't see this until RHEL7.4, because of following Makefile check, that skipped the test:

ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
SUBDIRS += cap_userns
endif

7.4 policy update now makes condition above true.

[1] http://rhelblog.redhat.com/2015/07/07/whats-next-for-containers-user-namespaces/ (comment 2)

[stephensmalley]

Technically this test depends on Linux >= 4.7 / kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f; I only omitted the kernel version test because I thought the cap_userns policy test would suffice. It seems odd that RHEL is back-porting new class/permission definitions if they aren't also back-porting the corresponding kernel patches; I already encountered breakage due to this for the netlink_socket tests (fixed by e7e718ad2c1ed40755b06e1ba64399ab2b8f7bff). I am wondering whether we ought to add a kernel version test here too, since even if you turn on userns in RHEL7, I'm not sure you'll have that kernel commit.