All that is not expressly permitted is forbidden-mac is the acronym for mandatory access control. it is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. in this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). it requires labeling. under mac, you define who is allowed to access objects, and if you havent defined an access right, access is not permitted. so, it is not the case that all that is expressly permitted is forbidden, or that all that is not expressly permitted is not forbidden
