Mandatory Access Control

MAC versus DAC
DAC : user (or group of users) can decide on their objects
MAC : user (or group of users) can't decide on their objects
(example : SECRET classification)
Separation Policies 
Enforcing Legal restrictions on data
Establishing well-defined user roles
Restrictions to classified/compartmented data
Containment Policies
Minimizing damage from viruses to other malicious code
(example : http server/mod_ssl worm)
Integrity Policies 
Protecting applications from modification
Invocation Policies
Guaranteeing that data is processed as required
(example : freeswan encryption policies)