Mandatory Access Control (MAC) is a type of access control that imposes a predefined set of security rules, or labels, to control which users or systems can access specific resources. These rules are set by an administrator and enforced by the system, restricting the individual ability for resource owners to grant or deny access to file objects. This model is in direct contrast to one like Discretionary Access Control, which allows each user to control access to their own data.
MAC is primarily used in secure environments like government agencies, where clearance levels dictate access to resources, or hospitals where sharing of patient data should be limited. For example, in a government setting you may have clearance levels of unclassified, restricted, confidential, secret, and top secret. A classification label can be assigned to all file objects so when a user tries to access a resource, the system will check that resource’s security label against the security label of the user to determine if access can be granted or not.
Mandatory Access Control is hierarchical. The access your team has to data will range according to the rules or labels enforced. Users who have access to higher-level data will inherit access also to that of lower-level data.
One of the big advantages of MAC is its security. Access cannot be altered by any user but only a centralized system administration, resulting in defined, confidential, and well-protected data. In addition, MAC can help an organization enforce compliance with various regulatory requirements.
There are also disadvantages with Mandatory Access Control with the biggest being difficulty in implementing and managing it. Administrators will constantly face the need to update object labels as new data comes in as well as the maintenance of new and existing users. Inflexibility is another disadvantage as the access of users is rigidly locked in, not allowing for timely edge cases or access changes that aren’t at the whim of the administrator’s schedule.
Because of these disadvantages, MAC is often combined with another model like Role-Based Access Control, which offers more flexibility and efficiency with user profiles, or with Discretionary Access Control (DAC) to separate sensitive data from an unrestricted corporate file system.
MAC (Mandatory Access Control) in Linux is implemented through the use of security modules such as SELinux and AppArmor. These security modules provide a framework for defining and enforcing security policies on the system, determining which users and processes have access to specific resources and at what level of access. The policies themselves can be defined using a variety of different formats, such as the Security-Enhanced Linux policy language used by SELinux, or custom scripts and programs. To enable MAC in Linux, the appropriate security module must be loaded and configured, and the system must be configured to enforce the policies defined by the module.