lxcfs doesn’t seem to support extended attribute because setxattr and other xattr-related function is NULL in the source code.
Is there a plan to support it?
Is there a proc file where supporting xattrs makes sense?
Usually, it doesn’t matter.
I’ve been trying to use SELinux policy in the container.
Because policy makes each proc file have its own selinux context, supporting xattr is necessary.
Hmm, you can try modifying the LXCFS code to see if you can make it work, but I’d be quite surprised if FUSE was allowed to do anything meaningful with SELinux xattrs.
If it could, it would be a relatively easy way to workaround SELinux policies as any user can run a FUSE filesystem, which would then allow them to expose any file/directory they want with any label they want.
1 Like
Yes, you are right.
Usually, SELinux uses genfscon to handle some filesystems that doesn’t support xattr.
It’s one option, but in order to do that, I need to change some neverallow rules.
Because fuse could be used for removable storage, in order to prevent killing a process when unsafe ejection happens, there are some neverallow rules.
I’ve just wondered you have a plan to support it. ^^
I’m looking for solutions for me.
Thanks for a kind response.