nAllow: means that the
designated capability can be used by the client accounts
nDon’t care:
means that if a policy applies to a parent container, it also applies
to the child containers
nDeny: means that the capability cannot be
used by the client accounts