In every system a number of applications require special privileges in order to perform some system task eg. system services in DAC run with superuser privileges. If the sets of privileges associated with such applications could be made fine-grained enough, as close to minimal needed for the task as possible, unlike in the DAC example above, a damage resulting from a possible vulnerability exploit would be confined to only a portion of the system accessible by the privileges thus obtained. Therefore, the mandatory security mechanisms of an operating system should obey the principle of least privilege which states that any process in the system should be allocated only the absolutely minimal set of privileges needed to successfully perform the desired task. Any additional, not needed, privilege possessed by a process increases the damage incurred if a vulnerability in the program is exploited. Therefore, any mandatory security system should provide scope for implementation of the least privilege principle.