From 88b291ffc4aed550d3136a44580ba5f5d66dd922 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 14 Jun 2017 11:41:03 +0200
Subject: [PATCH] canonicalisePathMetaData(): Ignore security.selinux attribute

Untested, hopefully fixes #1406.
---
 src/libstore/local-store.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index ee36428af..aa985ee53 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -421,10 +421,14 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe
         if ((eaSize = llistxattr(path.c_str(), eaBuf.data(), eaBuf.size())) < 0)
             throw SysError("querying extended attributes of ‘%s’", path);
 
-        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1)))
+        for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) {
+            /* Ignore SELinux security labels since these cannot be
+               removed even by root. */
+            if (eaName == "security.selinux") continue;
             if (lremovexattr(path.c_str(), eaName.c_str()) == -1)
                 throw SysError("removing extended attribute ‘%s’ from ‘%s’", eaName, path);
-    }
+        }
+     }
 #endif
 
     /* Fail if the file is not owned by the build user.  This prevents