diff -NurpP --minimal linux-2.6.28.3-vs2.3.0.36.5/include/linux/vserver/context.h linux-2.6.28.3-vs2.3.0.36.5.1/include/linux/vserver/context.h
--- linux-2.6.28.3-vs2.3.0.36.5/include/linux/vserver/context.h	2008-12-30 21:36:10.000000000 +0100
+++ linux-2.6.28.3-vs2.3.0.36.5.1/include/linux/vserver/context.h	2009-02-05 22:19:15.000000000 +0100
@@ -59,6 +59,7 @@
 
 #define VXC_SET_UTSNAME		0x00000001
 #define VXC_SET_RLIMIT		0x00000002
+#define VXC_FS_SECURITY		0x00000004
 
 /* was	VXC_RAW_ICMP		0x00000100 */
 #define VXC_SYSLOG		0x00001000
diff -NurpP --minimal linux-2.6.28.3-vs2.3.0.36.5/security/commoncap.c linux-2.6.28.3-vs2.3.0.36.5.1/security/commoncap.c
--- linux-2.6.28.3-vs2.3.0.36.5/security/commoncap.c	2008-12-30 21:36:10.000000000 +0100
+++ linux-2.6.28.3-vs2.3.0.36.5.1/security/commoncap.c	2009-02-05 22:26:00.000000000 +0100
@@ -436,7 +436,7 @@ int cap_inode_setxattr(struct dentry *de
 		return 0;
 	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
 		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
-	    !capable(CAP_SYS_ADMIN))
+		!vx_capable(CAP_SYS_ADMIN, VXC_FS_SECURITY))
 		return -EPERM;
 	return 0;
 }