Abstract: Traditional discretionary access control can't provide adequate security. Rules of existing mandatory access control models are very rigid, and barriers in document flow occur. We propose a mandatory access control model is proposed which is suitable for document flow. In this model the requirements of both integrity and confidentiality are met. Flexibility of discretionary access control integrates with security of mandatory access control. Through checking the rules, information can flow bidirectionally. The security of the model is proved on the basis of noninterference theory.