Mandatory Access Control (MAC) is a security mechanism used in computer systems and networks to enforce strict and centrally defined access policies on computer resources. It is designed to limit and control the actions that subjects (users, processes, or entities) can perform on objects (files, directories, devices, etc.) based on predetermined rules set by the system administrator or security policy.
When a subject attempts to access an object, the MAC system checks the security labels of both the subject and the object and compares them against the access policy. Access is granted only if the subject's security level meets or exceeds the object's security level as per the access policy.
MAC operates on the principle of the "need-to-know" and "least privilege" concepts, where access rights are granted only if explicitly authorized and are restricted to the minimum necessary for the subject to fulfill its function.