Index: pym/portage.py
===================================================================
--- pym/portage.py	(revision 8853)
+++ pym/portage.py	(revision 8854)
@@ -4402,7 +4402,10 @@
 				if os.WIFEXITED(retval) and \
 					os.WEXITSTATUS(retval) == os.EX_OK and \
 					env_stat and env_stat.st_size > 0:
-					pass
+					# This is a signal to ebuild.sh, so that it knows to filter
+					# out things like SANDBOX_{DENY,PREDICT,READ,WRITE} that
+					# would be preserved between normal phases.
+					open(env_file + ".raw", "w")
 				else:
 					writemsg(("!!! Error extracting saved " + \
 						"environment: '%s'\n") % \
Index: bin/ebuild.sh
===================================================================
--- bin/ebuild.sh	(revision 8853)
+++ bin/ebuild.sh	(revision 8854)
@@ -1433,12 +1433,16 @@
 # interfering with the current environment. This is useful when an existing
 # environment needs to be loaded from a binary or installed package.
 preprocess_ebuild_env() {
-	filter_readonly_variables --filter-sandbox < "${T}"/environment \
+	local filter_opts=""
+	if [ -f "${T}/environment.raw" ] ; then
+		# This is a signal from the python side, indicating that the
+		# environment may contain stale SANDBOX_{DENY,PREDICT,READ,WRITE}
+		# variables that should be filtered out. Between phases, these
+		# variables are normally preserved.
+		filter_opts="--filter-sandbox ${filter_opts}"
+	fi
+	filter_readonly_variables ${filter_opts} < "${T}"/environment \
 		> "${T}"/environment.filtered
-	if [ $? -ne 0 ] ; then
-		rm -f "${T}/environment.filtered"
-		return 1
-	fi
 	mv "${T}"/environment.filtered "${T}"/environment || return $?
 	rm -f "${T}/environment.success" || return $?
 	# WARNING: Code inside this subshell should avoid making assumptions
@@ -1460,13 +1464,13 @@
 		touch "${T}/environment.success" || exit $?
 	) | filter_readonly_variables > "${T}/environment.filtered"
 	if [ -e "${T}/environment.success" ] ; then
-		rm "${T}/environment.success"
 		mv "${T}/environment.filtered" "${T}/environment"
-		return $?
+		retval=$?
 	else
-		rm -f "${T}/environment.filtered"
+		retval=1
 	fi
-	return 1
+	rm -f "${T}"/environment.{filtered,raw,success}
+	return ${retval}
 }
 
 # === === === === === === === === === === === === === === === === === ===