A mechanism is a facility the operating system provides for specifying how an object may be accessed.
A policy is a decision made by the object's owner (or system management) as to how the mechanisms are to be applied in a specific case.
Example: a particular system may allow the owner of a file to specify who may read the file. This is a mechanism. If the owner of a file decides that anyone whose last name begins with "A" may read a certain file, then he has chosen a policy which (hopefully) can be implemented using the mechanism provided.