Documentation/admin-guide/LSM/Smack.rst

Source file repositories/reference/linux-study-clean/Documentation/admin-guide/LSM/Smack.rst

File Facts

System
Linux kernel
Corpus path
Documentation/admin-guide/LSM/Smack.rst
Extension
.rst
Size
33526 bytes
Lines
872
Domain
Support Tooling And Documentation
Bucket
Documentation
Inferred role
Support Tooling And Documentation: documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

=====
Smack
=====


    "Good for you, you've decided to clean the elevator!"
    - The Elevator, from Dark Star

Smack is the Simplified Mandatory Access Control Kernel.
Smack is a kernel based implementation of mandatory access
control that includes simplicity in its primary design goals.

Smack is not the only Mandatory Access Control scheme
available for Linux. Those new to Mandatory Access Control
are encouraged to compare Smack with the other mechanisms
available to determine which is best suited to the problem
at hand.

Smack consists of three major components:

    - The kernel
    - Basic utilities, which are helpful but not required
    - Configuration data

The kernel component of Smack is implemented as a Linux
Security Modules (LSM) module. It requires netlabel and
works best with file systems that support extended attributes,
although xattr support is not strictly required.
It is safe to run a Smack kernel under a "vanilla" distribution.

Smack kernels use the CIPSO IP option. Some network
configurations are intolerant of IP options and can impede
access to systems that use them as Smack does.

Smack is used in the Tizen operating system. Please
go to http://wiki.tizen.org for information about how
Smack is used in Tizen.

The current git repository for Smack user space is:

	git://github.com/smack-team/smack.git

This should make and install on most modern distributions.
There are five commands included in smackutil:

chsmack:
	display or set Smack extended attribute values

smackctl:
	load the Smack access rules

smackaccess:
	report if a process with one label has access
	to an object with another

These two commands are obsolete with the introduction of
the smackfs/load2 and smackfs/cipso2 interfaces.

smackload:
	properly formats data for writing to smackfs/load

smackcipso:
	properly formats data for writing to smackfs/cipso

In keeping with the intent of Smack, configuration data is
minimal and not strictly required. The most important
configuration step is mounting the smackfs pseudo filesystem.
If smackutil is installed the startup script will take care
of this, but it can be manually as well.

Annotation

Implementation Notes