With MAC, an operating system limits the ability of an initiator to access or perform actions on objects.
Objects such as files, directories, network ports, memory blocks.|
Every access or action is checked against a set of rules (policy) to decide whether it's allowed. Violations of the rules are logged and can generate notifications.
|The State of MAC|
Linux gained MAC in 2000. MS Windows still doesn't have MAC.|
Around 2008 Windows moved a little closer to MAC, but the design (MIC) is fundamentally wrong, since it uses levels of access rather than types.
If MS Windows had MAC it wouldn't need ever-more numerous and complex (and fragile) defence mechanisms to attempt to compensate for its absence. Mechanisms which can often be bypassed.
You can read another expert's comments here.
|Web Server MAC example|
|If a way is found to upload malware to a MAC-protected web server, the MAC rules for the web server prevent the malware being executed. In fact those rules prevent any file being executed.|
|DNS Server MAC example|
In July 2020 a serious MS Windows vulnerability was reported. Whereby the sending of certain data to a Windows DNS (Domain Name System) server made it possible to gain Domain Administrator privileges.|
An equivalent vulnerability on a MAC-enabled system does not enable privilege increase. Because the MAC rules for the DNS server prevent execution of any privilege-increasing software.
|Further MAC use|
We provide systems based on CentOS Linux. Its MAC subsystem is called SELinux, and it's enabled by default and its policy is comprehensive.|
Every service is protected in an appropriate way. So that if a vulnerability is found any exploit attempts are either completely blocked or severely restricted.
Rules also exist for limited-access user accounts. For example a user account that doesn't have network access.
It's not hard to add extra rules for even-more-specialised uses.