Continuing my exploration of MAC systems... http://schaufler-ca.com/description_from_the_linux_source_tree SMACK is more like SELinux than AppArmor or Tomoyo, it's based on labels instead of pathnames. Currently it's used by Tizen and some other embedded Linux setups, but apparently not at all on the desktop. It looks kind of interesting, and might have some advantages over Tomoyo and AppArmor (invulnerability to hard link hacks) and SELinux (less complexity = less opportunity for admin error). Also, it's unique among MAC systems in only requiring kernel support - no user space tools are required, though they do exist and are probably helpful. Unfortunately, "simple" in this case may only be by comparison to SELinux. The rules look simple enough, but it's clear that their application could get very complicated... Has anyone here experimented with this framework? Anyone know how to get started with it? e.g. Say I just wanted to put Firefox in a straightjacket. I assume the procedure could be something like 1. Apply some labels to directories Firefox has to read to and/or write from, e.g. "Firefox_R" and "Firefox_RW" 2. Apply an execution label to Firefox, maybe "Firefox" or such 3. Create rules like Firefox Firefox_R r Firefox Firefox_RW rw etc. Would that be reasonable, or am I approaching label-based MAC the wrong way here?