Mandatory Access Control

Anything that restricts a program or an object besides the ownersip relation establishes a form of mandatory acccess control. Restricting a program with respect to the resources or the services it can use (i.e. creating a sandbox) is one form of MAC. Restricting a user from reading or writing a resource based on a classification of the resource as "confidential" is another form of MAC. This time caused by "labelling" the resource and the user and comparing the labels at time of access.

MAC that controls the user/owner - resource relation is sometimes called multi-level security. MAC that controls the program - resource relation is called sandboxing (or domain type enforcement). A typical sign of additional MAC controls is that the user/owner - program relation suddenly becomes less critical (the relation is typically controlled through roles - RBAC). This becomes evident in the SE-Linux implementation which uses few roles for almost all processing.