Frequently Asked Question

What is the difference between discretionary and mandatory access control?

Traditional Unix permissions are discretionary: the owner of a file decides who else can read or write it, and a process running as a user can do anything that user can do. If /home/alice/secrets.txt is mode 600, that is because Alice (or her shell) chose to make it so; she can also chmod 644 and broadcast it to the world. Programs she runs inherit her authority, a buggy editor running as Alice can open every file Alice can open.

Mandatory access control inverts the policy authority. The system administrator defines rules in a central policy that the kernel enforces regardless of what the file owner wants. A MAC policy can say "the nginx process may read files labelled httpd_sys_content_t and write files labelled httpd_log_t, and nothing else", and the kernel will refuse any attempt to step outside that, even if nginx happens to be running as root. SELinux, AppArmor, and SMACK are the three main MAC frameworks in mainline Linux.

DAC and MAC are layered, not alternatives. Every access first passes the classic owner/group/world check, and only if that allows it does the MAC layer get to weigh in. The defender's view is that DAC is necessary but not sufficient: a compromised process running as its expected user will sail past DAC checks, and MAC is what keeps the damage contained.