Before we begin, first we need to understand what kind of access control we're talking about, and then we can easily comprehend how "mandatory access control" (MAC) tries to accomplish our aims. The operating system has the ability to examine the course of an action that an "initiator" wants to perform on a so-called "target." In its simplest form, imagine a process wanting to do something (i.e.; open, write, modify) with a file.

In the case above, the initiator is the process, while the target or the object is the file. The mechanism needs to be globalized and extended to directories, memory segments, and even TCP/UDP ports, not to mention lots of other objects. The same is true of the initiators; they can be not just processes but also threads and so forth. Let's keep things simple.

The operating system is responsible for maintaining the overall security of the system from the software level. It's like a Big Brother, watching everything from the "top" with a global understanding of virtually anything that happens. Each operation ought to be examined and matched with a set of rules and authorizations. These policies in our case can be MAC or DAC-mandatory or discretionary access control.

Please note that in this article, the presence of the MAC abbreviation stands for Mandatory Access Control and has nothing to do with the unique identifier that is given to network devices, commonly known as the "MAC address," which is short for media access control address. This can create confusion, but this is a software article focusing on the access controls of the Linux operating system.

All right now, we're slowly escalating and getting to the point of things. There's still much to be demystified and explained before the big picture comes together. On the next page we will see how MAC approaches "access controls" in comparison with the old-fashioned DAC. Then we'll cover how MAC could be implemented in Linux. Turn the page!