True, systems like WinNT do not *automatically* allow the administrator to violate the ACLs on objects - but they still *can*, because other facilities which exist, allow them to gain access despite permissions.
No, the Administrator CANNOT violate the system's security policy, why is this so hard for you to understand?

Likewise, just because root is "All powerful", does not mean that they can't be restricted - stuff like NSA security enhanced Linux does not allow root to violate the privileges associated with its context.
I always forget about about SE Linux, have a look at my Zealocy in Linux-land post.

And aside from all of this... the root issue is just once example of wht it is not a trusted path, which is the actual topic here. Yes you can use a myriad of methods to restrict root... none of those methods are universally supported and subsequently none of those uses are suitable in my production environments.
I just want the system to work, I don't want exotic configurations that that I read about in some slashdotter's blog, I don't want prototpe patch work (the fact that SE Linux is supported by the standard kernel should make you all ask "Why?! Why in gods name would we give that kind of core support to research projects?"), and I don't want some random college kid's special lucky super security model extension that is labeled as "stable" because he finially got it to a point where it didn't crash when he launched it. Is all of this too much to ask for?

Opus00, i think your post was excellent, but I don't think most people that assigned you points actually read it.

These extensions and all this retrofitting to me are dubitable. Hey what do I know?
Well my thoughts exactly...

the_Jinx... your documentation is a little confusing to me:
In its true form it is not a true SAK like the one in
c2 compliant systems, and it should be mistook as such.
Does this really say you should mistake the SAK for something it's not?
The trusted path is not a C2 requirement, it is introduced at the B2 level.
The reason why the Linux SAK isn't a true trusted path is because it can be initiated by other processes than the user.

So are we all in agreement then? And you can all start writting to your favorite distro and tell them that for real business needs they should implement a trusted path.

At first I thought this was an area where I was just plain ignorant... there are many solutions that look very good on the surface. It is unfortunate that none of them really panned out.

cheers,

catch