Mandatory Access Control versus Discretionary Access Control
Solution 1:
Mandatory access control : The Access control system only allows users who have already been given a clearance level to access the resource they intend to . But how do they grant access ? This is where Levels come into action . In the further discussions , users will be addressed as Subjects and the resources would be addressed as Objects . Each object and subject in that domain is given a "Security Level " .
Time for an example :- Assume there are three security levels . A ,B ,C . Security level of A is the highest . Security level of B is lower than A . Security eve of C is lower than B . A>B>C . Now Subjects having level A will be able to access only the objects having security levels less than A . Now Subjects having level B will be able to access only the objects having security levels less than B . Now Subjects having level C will be able to access only the objects having security levels less than C Assume Natasha has security level B . Now assume files under /var have level A and files under /etc/ have level C . As per the rule I mentioned , Natasha will be able to access only files under /etc which have levels lower than her level .
Discretionary access control is downright simple . When you create a file , you are the owner of that file . And in Discretionary access control , the owners of the files have their OWN "discretion" as to select the users to which access can be given and not given .
***P.S . The superuser can change the ownership of your file . So you are the owner of the file only if the superuser has not changed the ownership to someone else***And answering your second question . MAC is more secure in big companies because the whole security of the company lies in the hands of the owner of the file if they implement DAC . What if the owner decides to grant access to people to whom the access shouldn't be given . So in the case of MAC the decision is in the hands of the Architects and they make sure the file goes to the right hands .
Solution 2:
Basically, it comes down to users being able to override the access controls at their discretion. In a MAC-based system, the policy cannot be overriden by a user to allow less privileged users access to a resource. The MAC is mandatory.
In some situations, it may be necessary to have this behaviour. Typically, I've heard of MACs used in highly secure operating systems that are used in military and highly secure government installations. Until recently, no "business grade" or "consumer grade" operating system really supported MACs. Windows Vista (with the "integrity level" functionality) and SELinux both are forms of MAC.