As we saw in the previous chapters, Discretionary Access Control allows users to control who can access their own files and directories. But, what if your company needs to have more administrative control over who accesses what? For this, we need some sort of Mandatory Access Control or MAC.
The best way I know to explain the difference between DAC and MAC is to hearken back to my Navy days. I was riding submarines at the time, and I had to have a Top Secret clearance to do my job. With DAC, I had the physical ability to take one of my Top Secret books to the mess decks, and hand it to a cook who didn't have that level of clearance. With MAC, there were rules that prevented me from doing so. On operating systems, things work pretty much the same way.
There are several different MAC systems that are...