From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 2 Aug 2016 13:11:10 +0000 (+0200)
Subject: add selinux readme file
X-Git-Tag: v0.4.0~29^2
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=22bb57bc3ab033fda6cfda2fab4dcb06d0d8f48f;p=thirdparty%2Fsnapper.git

add selinux readme file
---

diff --git a/doc/Makefile.am b/doc/Makefile.am
index 73d2d766..f4e6b411 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -29,6 +29,10 @@ html: $(man_MANS:%.5=%.html) $(man_MANS:%.8=%.html)
 
 EXTRA_DIST = dbus-protocol.txt manpages.xsl html.xsl
 
+if ENABLE_SELINUX
+EXTRA_DIST += selinux-readme.txt
+endif
+
 clean-local:
 	rm -f *.{5,8} *.html
 
diff --git a/doc/selinux-readme.txt b/doc/selinux-readme.txt
new file mode 100644
index 00000000..c0594d99
--- /dev/null
+++ b/doc/selinux-readme.txt
@@ -0,0 +1,24 @@
+Any distribution interested in enabling selinux support in snapper should be aware
+of following requirements to be able to run snapper in confined environment
+properly.
+
+The snapper with enabled selinux support requires following symbol provided by
+distributed libselinux package: selinux_snapperd_contexts_path. The symbol is
+available in libselinux upstream [1] since commit "b2c1b0baaf52" which should
+land in libselinux version 2.6 and higher.
+
+Also distribution is expected to install a file located on a path acquired via the
+call above. Usually the file is packaged together with selinux-policy. Currently
+the minimal required file content is as follows:
+
+snapperd_data = system_u:object_r:snapperd_data_t:s0
+
+Content description:
+
+a) the selinux context referenced by key 'snapperd_data' is used to label all
+snapper metadata stored in (including) /mnt/dir/.snapshots subvolume or directory.
+
+Keep this file up to date whenever requirements on a selinux enabled snapper gets
+changed!
+
+[1] https://github.com/SELinuxProject/selinux