canonicalisePathMetaData(): Ignore security.selinux attribute

Untested, hopefully fixes #1406.
NixOS · Jun 14, 2017 · 88b291f · 88b291f
1 parent 177f399
commit 88b291f
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
@@ -421,10 +421,14 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe
         if ((eaSize = llistxattr(path.c_str(), eaBuf.data(), eaBuf.size())) < 0)
             throw SysError("querying extended attributes of ‘%s’", path);
 
-        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1)))
+        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) {
+            /* Ignore SELinux security labels since these cannot be
+               removed even by root. */
+            if (eaName == "security.selinux") continue;
             if (lremovexattr(path.c_str(), eaName.c_str()) == -1)
                 throw SysError("removing extended attribute ‘%s’ from ‘%s’", eaName, path);
-    }
+        }
+     }
 #endif
 
     /* Fail if the file is not owned by the build user.  This prevents