This paper is devoted to the analysis of mandatory access restriction system for Oracle DBMS. As the result, several leakage channels are discovered. For many information system based on DBMS it is often a problem to implement access restriction, which takes information value into account. It is usually crucial for large-scale information systems of government or corporate use (i.e. geographical information systems or document management systems). Such system usually imply mandatory access model. One of the features of the mandatory model is prevention of either intentional or accidental decrease of information value thanks to information flow control. Mandatory access model is implemented by labeling all the subjects and objects belonging to the access restriction system. Oracle DBMS is currently one of the most powerful and popular industrial DBMS. Starting from Oracle9i version, Oracle Label Security (OLS) component is implemented, which makes it possible to organize mandatory access to stored data. OLS is a set of procedures and limitations built into database kernel, which allow implementation of record-level access control. In order to enable OLS it is necessary to create a security policy containing a set of labels. Whenever this policy is created it should be applied to protected tables and users should receive rights to corresponding labels. Analysis for possible leakage channels of confidential information seems interesting for the reviewed system. We are offering the following common analysis algorithm of the implemented mandatory access model. 1) Access object types are determined according to the published documentation and investigation of the DBMS (e.g., tables, strings, or columns). 2) Commands of SQL are analyzed in terms of how users can modify access objects. 3) Several objects with different confidentiality levels are created for each access object type. 4) Several user (access subject) accounts are created with different mandatory access rights. 5) A sequence of SQL-queries is formed, which are executed with different mandatory access restriction rights and objects with different confidentiality level. According to the analysis of execution of these queries it is possible to build an access model, and to make a conclusion whether the system has vulnerabilities, which can lead to leakage or corruption of confidential information. Let us consider access objects in OLS. These are table records, which have unique labels. It is often implied that tables are access objects in OLS because security policy is applied to tables. However tables do not have labels themselves; they just contain labeled rows. The following basic SQL operations handle individual records: - CREATE ? creation of a new record; - SELECT ? reading of an existing record; - UPDATE ? modification of an existing record; - DELETE ? deletion of a record. Our experiments consisted of sequences of queries called by users with different mandatory access rights to objects of different confidentiality levels. These experiments made it possible to construct the mandatory access model of OLS to records. We define two variables: I and J. I is a value of object?s label. Smaller values of I indicate higher confidentiality level (the value of 0 corresponds to ?top secret?). J is a value of subject?s access level. The model can be presented in the following formalized view: