After staring a new LXC container, the syslog program (Syslog-ng) began to throw thousands of errors with this kind of message:
Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-6977140995289226736 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-6551465724643968476 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-5980833553552494142 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-8820947409424952637 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-8270463809263745561 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-7923279144252216900 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-6181977668994943343 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-7585065875445167421 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-7923279144252216900 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-5826517164673898101 Dec 1 10:50:36 srv kernel: SELinux: inode_doinit_use_xattr: getxattr returned 2 for dev=0:43 ino=-7585065875445167421 Dec 1 11:01:01 h3 rsyslogd[1147]: imjournal: 3871493 messages lost due to rate-limiting (20000 allowed within 600 seconds)
These messages were logged in thousands. The same time, the NFS statistics showed a strange peak of using getattr. Something was calling getattr thousands times per second. Despite there were no SELinux blocks in audit.log as the dmesg suggested the SELinux might be blamed.
The LXC container is an application container, which has mound bind directory from the host server. The very same directory is an local NFS share (using NFS-Ganesha) of a GlusterFS volume and the PHP files are situated there.
So the LXC container reads the PHP files from this NFS share. There were no issues to access the files and the application LXC worked just fine.
The problem disappeared when the NFS share was remounted with SELinux permissions using the context word:
node3:/VOL1 /mnt/nfs/VOL1 nfs defaults,hard,noexec,nosuid,_netdev,fsc,noatime,context="system_u:object_r:httpd_sys_rw_content_t:s0" 0 0
All the files are of SELinux label httpd_sys_rw_content_t and after restarting the LXC container there were no SELinux lines in the dmesg and the syslog logs. The administrator should configure the right SELinux permissions to the LXC bound directories. More on why SELinux sometimes does not report on blocks in the audit.log here – Selinux permission denied and no log in audit.log.