This chapter explores the multilevel security policy model used in many military and intelligence systems, which hold information at different levels of classification, and have to ensure that data can be read only by a principal whose clearance level is at least as high. Such policies are increasingly also known as information flow control. Systems that enforce a security policy independently of user actions are described as having mandatory access control (MAC), as opposed to the discretionary access control in systems like Unix where users can take their own access decisions about their files. Integrity‐only approach to MAC does mean that malware running at Low can steal all the data; so some users might care to set ‘NoReadUp’ for sensitive directories.