Mark, as you've quoted, this was my reply, via the mailing-list to Konstantin
(who I have great respect for).
"With the passage of 15 years
other applications have come to use "system" namespace extended
attributes, as though they were in the host system. Unfortunately if
you have one physical box available to act as both an authentication
server (Quasi Active Directory) and a fileserver, then using a jailed
environment is the only solution.
By design? I suppose its akin to saying, why would you want to use
sysvipc from within a jail, with its global namespace (since FreeBSD
V5.0) ; or perhaps the use of raw sockets (FreeBSDv6.0); or mount within
a jail (FreeBSD V9.0); or...?
Probably because sophisticated use of jails is one of the many
outstanding features that sets FreeBSD apart from restrictive and
antiquated environments. Not all features of a base system should be
reflected in a jail, that would be silly; but where upstream
applications use features, then the enhancement of a jail's
configuration via way of, at least, an option - makes sense."
Interestingly the absence of SYSTEM namespace within a jailed environment also
prohibits use of MAC BIBA|MLS|LOMAC.