Smack – kernel based Mandatory Access Control

The Simplified Mandatory Access Control Kernel (Smack) provides a Linux kernel based Mandatory Access Control (MAC) mechanism for protecting processes and data from inappropriate manipulation. Smack is designed to be as simple as possible while retaining the flexibility required to meet modern system security needs.

Smack uses process, file, and network labels combined with an easy to understand and manipulate way to identify the kind of accesses that should be allowed.

Smack is included the mainline kernel. It works best with file systems that support extended attributes.

Features include:

  • Kernel based scheme that requires an absolute minimum of application support and a very small amount of configuration data.
  • Provides mandatory access controls based on the label attached to a task.
  • Datastate access control system – uses a combination of Linux kernel based access control and event driven file scanning to implement file content based access control.
  • Uses extended attributes and provides a set of general mount options, borrowing technics used elsewhere.
  • Provides a pseudo-filesystem smackfs.
  • Easy administration.

Website: schaufler-ca.com
Support: Secure Linux containers cookbook
Developer: Casey Schaufler
License: GNU GPL v2

Return to MAC/RBAC Tools Home Page


Make a Donation
Click the button to make a donation via flattr. Donations help us to maintain and improve the site. You can also donate via PayPal.


Read our complete collection of recommended free and open source software. The collection covers all categories of software.

The software collection forms part of our series of informative articles for Linux enthusiasts. There's tons of in-depth reviews, alternatives to Google, fun things to try, hardware, free programming books and tutorials, and much more.
Share this article

Share your Thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.