From 35ea3d62dcea71f7e65553d8f6441e708552d675 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 14 Jun 2017 11:41:03 +0200
Subject: [PATCH] canonicalisePathMetaData(): Ignore security.selinux attribute

Untested, hopefully fixes #1406.

(cherry picked from commit 88b291ffc4aed550d3136a44580ba5f5d66dd922)
---
 src/libstore/local-store.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index f003685c2..6888575f7 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -592,9 +592,13 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe
         if ((eaSize = llistxattr(path.c_str(), eaBuf.data(), eaBuf.size())) < 0)
             throw SysError(format("querying extended attributes of ‘%s’") % path);
 
-        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1)))
+        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) {
+            /* Ignore SELinux security labels since these cannot be
+               removed even by root. */
+            if (eaName == "security.selinux") continue;
             if (lremovexattr(path.c_str(), eaName.c_str()) == -1)
                 throw SysError(format("removing extended attribute ‘%s’ from ‘%s’") % eaName % path);
+        }
     }
 #endif