Which security model uses labels and clearance levels to enforce mandatory access control?

Correct answer: Bell-LaPadula model

Option C is correct because the Bell-LaPadula model is the classic confidentiality-focused mandatory access control model that assigns sensitivity labels to objects and clearance levels to subjects, enforcing the no-read-up (simple security) and no-write-down (star property) rules to prevent unauthorized disclosure of classified information. Option A is wrong because the Brewer-Nash (Chinese Wall) model is designed to prevent conflicts of interest in commercial environments, not to enforce label-based clearance hierarchies. Option B is wrong because the Biba model addresses integrity rather than confidentiality, using the inverse lattice rules of no-read-down and no-write-up to protect data from corruption by lower-integrity subjects. Option D is wrong because the Clark-Wilson model also focuses on integrity, using well-formed transactions and separation of duties to maintain data consistency, without a clearance label hierarchy.