From 88b291ffc4aed550d3136a44580ba5f5d66dd922 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 14 Jun 2017 11:41:03 +0200 Subject: [PATCH] canonicalisePathMetaData(): Ignore security.selinux attribute Untested, hopefully fixes #1406. --- src/libstore/local-store.cc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index ee36428af..aa985ee53 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -421,10 +421,14 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe if ((eaSize = llistxattr(path.c_str(), eaBuf.data(), eaBuf.size())) < 0) throw SysError("querying extended attributes of ‘%s’", path); - for (auto & eaName: tokenizeString(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) + for (auto & eaName: tokenizeString(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) { + /* Ignore SELinux security labels since these cannot be + removed even by root. */ + if (eaName == "security.selinux") continue; if (lremovexattr(path.c_str(), eaName.c_str()) == -1) throw SysError("removing extended attribute ‘%s’ from ‘%s’", eaName, path); - } + } + } #endif /* Fail if the file is not owned by the build user. This prevents