[Lxc-users] Cannot Set Xattr Security.* Inside an LXC Container
chris.hayes at proporta.com
chris.hayes at proporta.com
Thu Aug 8 22:03:58 UTC 2013
On Thu, 08 Aug 2013 22:37:55 +0100, chris.hayes at proporta.com wrote:
> Hi,
>
> I'm unable to set extended attributes in the 'security' namespace
> inside an LXC container. It can set attributes in the 'user'
> namespace
> without any issue. Outside the container (on the host operating
> system) I can set either of these using setfattr or attr without
> issue.
>
> I'm using version 0.8.0 of LXC from the packages in Debian Wheezy. Is
> there any workaround for this, anything that I can do would be very
> greatly appreciated.
OK, I see that the CAP_SYS_ADMIN controls this, and I can comment out
the lxc.cap.drop declaration that disables these capabilities in order
do what I need to do.
Looking at the list of things that it controls, it doesn't look too
bad; if anything I'm mostly worried that it might accidentally set the
hostname of the parent box rather than ripping a massive hole in my
security. Can anyone provide me with some context/insight into this?
Maybe there's a way to limit it to just the special xattr namespaces?
Cheers,
Chris Hayes
>
> Thanks,
> Chris Hayes
More information about the lxc-users
mailing list