The authors describe how mandatory and discretionary access mediation are performed in the trusted mach (TMach) kernel, a system that uses message passing as its primary means of communication both between tasks and with the kernel. As a consequence, control of interprocess communication in the TMach kernel is a central concern whereas controlled sharing of segments is the central focus in trusted systems with more traditional architectures. The TMach kernel is not a complete trusted system. It is a reference monitor of basic system abstractions, providing a small, well-controlled base on which the rest of a trusted computing base and operating system can be constructed. The TMach kernel provides simple and elegant mandatory access control for port access rights. The TMach kernel's MAC (mandatory access control) mechanisms clearly control the flow of information according to a mandatory security policy based on a Bell and La Padula model. DAC (discretionary access control) mechanisms are provided in the TMach kernel to implement TCSEC (trusted computer system evaluation criteria) requirements and to support DAC in servers to be built on the kernel.<>