In computer security, Mandatory Access Control - MAC refers to a type of access control where the operating system controls the ability of a subject to access an object. A subject is usually a process or thread. Objects are typically directories, files, shared memory segments, TCP/UDP ports, or other processes. Subjects and objects each have security attributes. When a subject attempts to access an object, an authorization rule enforced by the kernel examines the security attributes and decides whether access is granted. Any operation by any subject on any object will be checked against the authorization rules to determine if the operation is allowed.
Traditional MAC mechanisms have been designed to mainly prevent information leaks, and confined to a multi-level security (MLS) policy which bases its decisions on the classification of objects and the clearances of subjects.
This traditional approach is too limiting to address many security requirements in a modern computing world. MLS provides poor support for data and application integrity, separation of duty, and least privilege requirements. It fails to tightly control the relationship between a subject and the code it executes. This limits the ability of the system to offer protection based on the function and trustworthiness of the code, to correctly manage permissions required for execution, and to minimize the likelihood of malicious code execution.