If Mandatory Access Control, or MAC, is enabled in the kernel, then in addition to the traditional credentials, each subject (typically a user or a socket) and object (file system object, socket, etc.) is given a "MAC label". The MAC label specifies the necessary subject-specific or object-specific information necessary for a MAC security policy to enforce access control on the subject/object.
The format for a MAC label is defined as follows:
A MAC label consists of a policy name, followed by a forward slash, followed by the subject or objects qualifier, optionally followed by a comma and one or more additional policy labels. For example:
mac(3), posix1e(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_mls(4), mac_none(4), mac_partition(4), mac_seeotheruids(4), mac_test(4), login.conf(5), getfmac(8), getpmac(8), ifconfig(8), setfmac(8), setpmac(8), mac(9)