Mandatory Access Control label format
If Mandatory Access Control, or MAC, is enabled in the kernel, then in addition
to the traditional credentials, each subject (typically a user or a socket)
and object (file system object, socket, etc.) is given a MAC
label. The MAC label specifies the necessary subject-specific or
object-specific information necessary for a MAC security policy to enforce
access control on the subject/object.
The format for a MAC label is defined as follows:
A MAC label consists of a policy name, followed by a forward
slash, followed by the subject or object's qualifier, optionally followed by
a comma and one or more additional policy labels. For example:
MAC first appeared in FreeBSD 5.0.
This software was contributed to the FreeBSD Project by
NAI Labs, the Security Research Division of Network Associates Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the
DARPA CHATS research program.