canonicalisePathMetaData(): Ignore security.selinux attribute

Untested, hopefully fixes #1406.
author: Eelco Dolstra <edolstra@gmail.com> 2017-06-14T09·41+0200
committer: Eelco Dolstra <edolstra@gmail.com> 2017-06-14T09·41+0200
commit: 88b291ffc4aed550d3136a44580ba5f5d66dd922 (patch)
tree: 987f8d04786510b36571db5c5f7182bdf9cfe3ff /src/libstore/local-store.cc
parent: 177f3996e28967368791ba0e4ec036f3dbbb88d0 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index ee36428af035..aa985ee53d97 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -421,10 +421,14 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe
         if ((eaSize = llistxattr(path.c_str(), eaBuf.data(), eaBuf.size())) < 0)
             throw SysError("querying extended attributes of ‘%s’", path);
 
-        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1)))
+        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) {
+            /* Ignore SELinux security labels since these cannot be
+               removed even by root. */
+            if (eaName == "security.selinux") continue;
             if (lremovexattr(path.c_str(), eaName.c_str()) == -1)
                 throw SysError("removing extended attribute ‘%s’ from ‘%s’", eaName, path);
-    }
+        }
+     }
 #endif
 
     /* Fail if the file is not owned by the build user.  This prevents
author	Eelco Dolstra <edolstra@gmail.com>	2017-06-14T09·41+0200
committer	Eelco Dolstra <edolstra@gmail.com>	2017-06-14T09·41+0200
commit	88b291ffc4aed550d3136a44580ba5f5d66dd922 (patch)
tree	987f8d04786510b36571db5c5f7182bdf9cfe3ff /src/libstore/local-store.cc
parent	177f3996e28967368791ba0e4ec036f3dbbb88d0 (diff)