Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
English
Entry № 729

Mandatory Access Control (MAC)

Reviewed byCybersecurity entrepreneur & security researcher

What is Mandatory Access Control (MAC)?

Mandatory Access Control (MAC)An access-control model in which a central policy — not the resource owner — enforces access decisions based on classifications and clearances assigned to subjects and objects.

Mandatory Access Control is a non-discretionary model where the operating system or kernel enforces a system-wide policy that users cannot override. Every subject (process) and object (file, network port) is tagged with a security label such as a classification level (Top Secret, Secret, Confidential) or a category, and access is allowed only when the labels satisfy the policy (for example, Bell-LaPadula's "no read up, no write down"). MAC is mandatory because even a file's owner cannot relax its permissions. It is implemented in SELinux, AppArmor, Smack, FreeBSD MAC, and was originally developed for military and high-assurance environments. The cost is rigidity, complex labelling, and a steep operational learning curve.

Examples

  1. 01

    SELinux blocking a web server process from reading /etc/shadow even when running as root.

  2. 02

    A classified system preventing a Secret user from writing to an Unclassified directory.

Frequently asked questions

What is Mandatory Access Control (MAC)?

An access-control model in which a central policy — not the resource owner — enforces access decisions based on classifications and clearances assigned to subjects and objects. It belongs to the Identity & Access category of cybersecurity.

What does Mandatory Access Control (MAC) mean?

An access-control model in which a central policy — not the resource owner — enforces access decisions based on classifications and clearances assigned to subjects and objects.

How do you defend against Mandatory Access Control (MAC)?

Defences for Mandatory Access Control (MAC) typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Mandatory Access Control (MAC)?

Common alternative names include: MAC, Non-discretionary access control.

Related terms

See also