Mandatory Access Control

Traditional UNIX based systems restrict what resources different users can access by means of labeling resources so only a given user or group can access them. Controls are discretionary because a given user may be capable of passing a permission (directly or indirectly) to another user. An example would be creating a file then marking its permissions readable by other users. Such a control scheme is referred to as Discretionary Access Control (DAC).

An alternative to DAC is Mandatory Access Control (MAC). A MAC system can further constrain what a system can do, and is based...