[RFC] Security Enhanced NFS (SENFS) Requirements - draft 05

[J. Bruce Fields]

On Wed, Jun 20, 2007 at 04:49:45PM -0400, James Morris wrote:
>     SENFS should support authentication on a per-domain granularity so that
>     different domains running on a client can use different cryptographic
>     keys and facilities.

Sorry, I'm not totally sure I understand what a "domain" is. I assume
every rpc call will need to be associated with a domain?  (Just one, or
is it every more than one?)  If you need a different credential for each
domain, what kind of access control do you need for those credentials?

> 3.9.  Domains of Interpretation
> 
>     In SELinux, a Domain of Interpretation (DOI) represents an
>     administrative security boundary, where all systems within the DOI have
>     semantically coherent labeling.  That is, a security label must always
>     mean exactly the same thing anywhere within the DOI.  An SELinux DOI
>     may be further demarcated for any other administrative purpose.

Does the current SELinux have any notion of a DOI?

Would it be possible to ignore this problem in a first implementation,
and just assume the client and server are always in the same DOI?

> 3.14.  Namespace Access
> 
>     The server should provide a means to authorize selective access to the
>     exported filesystem namespace based upon client credentials and
>     according to security policy.

Could you give an example?  Why is this necessary, and how does it go
beyond the ordinary access control used for files in the exported
filesystems?

> 3.15.  External Remote Filesystems
> 
>     Under NFSv4, filesystems located externally to the server may be
>     exported in the same namespace as locally exported filesystems.

You're thinking of referrals here, or something else?

>     SENFS will not support this initially in Full Mode, although for Guest
>     Mode, the server may convey locally generated security labels to the
>     client.

I don't understand.

--b.