SMACK (Simplified Mandatory Access Control Kernel) allows to define simple rules to limit a user or a process rights.


The actual user context is defined in the following file :



A rule is defined as follows :

System  User  rwxat
  • System is the subject’s label
  • User is the object’s label
  • rwx are the access read, write, execute, append and transmute

ℹ️ The processes System can read, write and execute User objects.

Possible access

  • r = read
  • w = write
  • x = execute
  • t = transmute (If a file is created in a directory with transmute access, it will inherit of the label of parent)
  • a = append (add)
  • l = lock (use for locking a file ==> Read-Only)
  • b = bring-up (equivalent of permissive mode)

Without any capability, you can only reduce accesses. If you want to change a rule you need CAP_MAC_ADMIN capability.

You have two ways to change rules :

1) Runtime

smackload subject object rwt

Changes are lost on restart.

2) Persistant

Create a file in /etc/smack/accesses.d/ with rules :

# vim /etc/smack/accesses.d/demo-app.smack
subject object rwt

Changes are applied on restart.

Default smack access rules

* 🛑 Access ✔️ Access
^ ✔️ Read or execute access  
_   ✔️ Read or execute access

✔️ If subject and object have the same label

🛑 All other rules not explicitly defined