Comment # 7 on bug 1089349 from Fabian Vogt

(In reply to Goldwyn Rodrigues from comment #6)
> (In reply to Fabian Vogt from comment #5)
> > (In reply to Goldwyn Rodrigues from comment #4)
> > > On second thoughts, this is a security risk.
> > 
> > The handling for security_inode_copy_up_xattr is the same.
> 
> Not quite. The security_inode_copy_up_xattr copies the labels which are used
> by selinux to impose security restrictions. It just skips selinux (the only
> user) specific xattr. 

I'd say that the general idea is the same.

[...]
> > I don't think there's a better way to handle this, but I'd like to be proven
> > otherwise.
> 
> There is already a discussion on this.
> https://www.spinics.net/lists/linux-nfs/msg61045.html

Indeed - I wonder why I did not find that.

> Workaround is to use the exported FS without ACL.

I don't think that is possible, neither on the server nor on the client side.