diff --git a/config-linux.md b/config-linux.md
index ced5f5c53..1dd3b9d93 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -39,7 +39,6 @@ The following parameters can be specified to setup namespaces:
 
 If a path is specified, that particular file is used to join that type of namespace.
 If a namespace type is not specified in the `namespaces` array, the container MUST inherit the [runtime namespace](glossary.md#runtime-namespace) of that type.
-If a new namespace is not created (because the namespace type is not listed, or because it is listed with a `path`), runtimes MUST assume that the setup for that namespace has already been done and error out if the config specifies anything else related to that namespace.
 
 ###### Example
 
diff --git a/config.md b/config.md
index 8d2d746d3..8c55ce61b 100644
--- a/config.md
+++ b/config.md
@@ -8,6 +8,22 @@ This includes the process to run, environment variables to inject, sandboxing fe
 
 Below is a detailed description of each field defined in the configuration format.
 
+## Ownership
+
+This specification treats system attributes as belonging to a particular container.
+It does not support one container adjusting attributes that belong to another container.
+Runtimes MUST generate an error if the configuration sets an attribute that belongs to another container.
+
+For example, the following are valid:
+
+* A Linux configuration that creates a new [UTS namespace](config-linux.md#namespaces) and sets [`hostname`](#hostname).
+* A Linux configuration that sets [network limits][config-linux.md#network] with a new [control group][config-linux.md#control-groups], regardless of whether it creates a new [network namespace](config-linux.md#namespaces).
+
+While the following are invalid:
+
+* A Linux configuration that sets [`hostname`](#hostname) but does not create a new [UTS namespace](config-linux.md#namespaces).
+* A Linux configuration that sets [network limits][config-linux.md#network] with an existing [control group][config-linux.md#control-groups].
+
 ## Specification version
 
 * **`ociVersion`** (string, required) MUST be in [SemVer v2.0.0](http://semver.org/spec/v2.0.0.html) format and specifies the version of the Open Container Runtime Specification with which the bundle complies.