[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] This patch adds support in the hypervisor for the policy name attribute



# HG changeset patch
# User smh22@xxxxxxxxxxxxxxxxxxxx
# Node ID ad30019015a24cc2a7e4594db9469aef8c0d4ecc
# Parent  0a5183b3e7bb6d22e63386fafc5fa8c10ab19ed6
This patch adds support in the hypervisor for the policy name attribute 
introduced into security policies. It also fixes a minor problem related 
to handling unsupported boot policies.

Signed-off by: Reiner Sailer <sailer@xxxxxxxxxx>

diff -r 0a5183b3e7bb -r ad30019015a2 tools/security/Makefile
--- a/tools/security/Makefile   Mon Apr 24 10:51:20 2006 +0100
+++ b/tools/security/Makefile   Mon Apr 24 10:51:50 2006 +0100
@@ -30,28 +30,23 @@ OBJS_TOOL    := $(patsubst %.c,%.o,$(fil
 OBJS_TOOL    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_TOOL)))
 SRCS_XML2BIN  = secpol_xml2bin.c secpol_xml2bin.h
 OBJS_XML2BIN := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_XML2BIN)))
-SRCS_GETD     = get_decision.c
-OBJS_GETD    := $(patsubst %.c,%.o,$(filter %.c,$(SRCS_GETD)))
 
 ACM_INST_TOOLS    = xensec_tool xensec_xml2bin xensec_gen
-ACM_NOINST_TOOLS  = get_decision
 ACM_OBJS          = $(OBJS_TOOL) $(OBJS_XML2BIN) $(OBJS_GETD)
-ACM_SCRIPTS       = getlabel.sh setlabel.sh updategrub.sh labelfuncs.sh
+ACM_SCRIPTS       = python/xensec_tools/acm_getlabel 
python/xensec_tools/acm_getdecision
 
 ACM_CONFIG_DIR    = /etc/xen/acm-security
 ACM_POLICY_DIR    = $(ACM_CONFIG_DIR)/policies
 ACM_SCRIPT_DIR    = $(ACM_CONFIG_DIR)/scripts
 
 ACM_INST_HTML     = python/xensec_gen/index.html
-ACM_INST_CGI      = python/xensec_gen/cgi-bin/policy.cgi \
-                    python/xensec_gen/cgi-bin/policylabel.cgi
+ACM_INST_CGI      = python/xensec_gen/cgi-bin/policy.cgi
 ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen
 ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin
 
 ACM_SCHEMA        = security_policy.xsd
-ACM_EXAMPLES      = null chwall ste chwall_ste
+ACM_EXAMPLES      = chwall ste chwall_ste
 ACM_POLICY_SUFFIX = security_policy.xml
-ACM_LABEL_SUFFIX  = security_label_template.xml
 
 ifeq ($(ACM_SECURITY),y)
 .PHONY: all
@@ -64,10 +59,10 @@ install: all $(ACM_CONFIG_FILE)
        $(INSTALL_DIR) -p $(DESTDIR)$(ACM_CONFIG_DIR)
        $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)
        $(INSTALL_DATA) -p policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
+       $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example
        for i in $(ACM_EXAMPLES); do \
-               $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
-               $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_POLICY_SUFFIX) 
$(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
-               $(INSTALL_DATA) -p policies/$$i/$$i-$(ACM_LABEL_SUFFIX) 
$(DESTDIR)$(ACM_POLICY_DIR)/$$i; \
+               $(INSTALL_DIR) -p $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
+               $(INSTALL_DATA) -p 
policies/example/$$i/client_v1-$(ACM_POLICY_SUFFIX) 
$(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
        done
        $(INSTALL_DIR) -p $(DESTDIR)$(ACM_SCRIPT_DIR)
        $(INSTALL_PROG) -p $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
@@ -99,9 +94,6 @@ xensec_xml2bin: $(OBJS_XML2BIN)
 xensec_xml2bin: $(OBJS_XML2BIN)
        $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
 
-get_decision: $(OBJS_GETD)
-       $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
-
 xensec_gen: xensec_gen.py
        cp -f $^ $@
 
@@ -116,8 +108,4 @@ clean:
 .PHONY: mrproper
 mrproper: clean
 
-.PHONY: boot_install
-boot_install: install
-       $(ACM_SCRIPT_DIR)/updategrub.sh $(POLICY) $(KERNEL_VERSION)
-
 -include $(PROG_DEPS)
diff -r 0a5183b3e7bb -r ad30019015a2 tools/security/secpol_tool.c
--- a/tools/security/secpol_tool.c      Mon Apr 24 10:51:20 2006 +0100
+++ b/tools/security/secpol_tool.c      Mon Apr 24 10:51:50 2006 +0100
@@ -48,9 +48,7 @@ void usage(char *progname)
            "ACTION is one of:\n"
            "\t getpolicy\n"
            "\t dumpstats\n"
-           "\t loadpolicy <binary policy file>\n"
-           "\t getssid -d <domainid> [-f]\n"
-           "\t getssid -s <ssidref> [-f]\n", progname);
+           "\t loadpolicy <binary policy file>\n", progname);
     exit(-1);
 }
 
@@ -68,7 +66,7 @@ static inline int do_xen_hypercall(int x
                         (unsigned long) hypercall);
 }
 
-static inline int do_acm_op(int xc_handle, struct acm_op * op)
+static inline int do_acm_op(int xc_handle, struct acm_op *op)
 {
     int ret = -1;
     privcmd_hypercall_t hypercall;
@@ -78,15 +76,13 @@ static inline int do_acm_op(int xc_handl
     hypercall.op = __HYPERVISOR_acm_op;
     hypercall.arg[0] = (unsigned long) op;
 
-    if (mlock(op, sizeof(*op)) != 0)
-    {
+    if (mlock(op, sizeof(*op)) != 0) {
         PERROR("Could not lock memory for Xen policy hypercall");
         goto out1;
     }
 
-    if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0)
-    {
-        printf( "ACM operation failed: errno=%d\n", errno );
+    if ((ret = do_xen_hypercall(xc_handle, &hypercall)) < 0) {
+        printf("ACM operation failed: errno=%d\n", errno);
         if (errno == EACCES)
             fprintf(stderr, "ACM operation failed -- need to"
                     " rebuild the user-space tool set?\n");
@@ -108,8 +104,7 @@ void acm_dump_chinesewall_buffer(void *b
     int i, j;
 
 
-    if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY)
-    {
+    if (htonl(cwbuf->policy_code) != ACM_CHINESE_WALL_POLICY) {
         printf("CHINESE WALL POLICY CODE not found ERROR!!\n");
         return;
     }
@@ -129,8 +124,7 @@ void acm_dump_chinesewall_buffer(void *b
     printf("\nSSID To CHWALL-Type matrix:\n");
 
     ssids = (domaintype_t *) (buf + ntohl(cwbuf->chwall_ssid_offset));
-    for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++)
-    {
+    for (i = 0; i < ntohl(cwbuf->chwall_max_ssidrefs); i++) {
         printf("\n   ssidref%2x:  ", i);
         for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++)
             printf("%02x ",
@@ -139,8 +133,7 @@ void acm_dump_chinesewall_buffer(void *b
     printf("\n\nConfict Sets:\n");
     conflicts =
         (domaintype_t *) (buf + ntohl(cwbuf->chwall_conflict_sets_offset));
-    for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++)
-    {
+    for (i = 0; i < ntohl(cwbuf->chwall_max_conflictsets); i++) {
         printf("\n   c-set%2x:    ", i);
         for (j = 0; j < ntohl(cwbuf->chwall_max_types); j++)
             printf("%02x ",
@@ -150,13 +143,11 @@ void acm_dump_chinesewall_buffer(void *b
     printf("\n");
 
     printf("\nRunning\nTypes:         ");
-    if (ntohl(cwbuf->chwall_running_types_offset))
-    {
+    if (ntohl(cwbuf->chwall_running_types_offset)) {
         running_types =
             (domaintype_t *) (buf +
                               ntohl(cwbuf->chwall_running_types_offset));
-        for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++)
-        {
+        for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) {
             printf("%02x ", ntohs(running_types[i]));
         }
         printf("\n");
@@ -164,13 +155,12 @@ void acm_dump_chinesewall_buffer(void *b
         printf("Not Reported!\n");
     }
     printf("\nConflict\nAggregate Set: ");
-    if (ntohl(cwbuf->chwall_conflict_aggregate_offset))
-    {
+    if (ntohl(cwbuf->chwall_conflict_aggregate_offset)) {
         conflict_aggregate =
             (domaintype_t *) (buf +
-                              ntohl(cwbuf->chwall_conflict_aggregate_offset));
-        for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++)
-        {
+                              ntohl(cwbuf->
+                                    chwall_conflict_aggregate_offset));
+        for (i = 0; i < ntohl(cwbuf->chwall_max_types); i++) {
             printf("%02x ", ntohs(conflict_aggregate[i]));
         }
         printf("\n\n");
@@ -201,11 +191,11 @@ void acm_dump_ste_buffer(void *buf, int 
     printf("\nSSID To STE-Type matrix:\n");
 
     ssids = (domaintype_t *) (buf + ntohl(stebuf->ste_ssid_offset));
-    for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++)
-    {
+    for (i = 0; i < ntohl(stebuf->ste_max_ssidrefs); i++) {
         printf("\n   ssidref%2x: ", i);
         for (j = 0; j < ntohl(stebuf->ste_max_types); j++)
-            printf("%02x ", ntohs(ssids[i * ntohl(stebuf->ste_max_types) + 
j]));
+            printf("%02x ",
+                   ntohs(ssids[i * ntohl(stebuf->ste_max_types) + j]));
     }
     printf("\n\n");
 }
@@ -213,9 +203,12 @@ void acm_dump_policy_buffer(void *buf, i
 void acm_dump_policy_buffer(void *buf, int buflen)
 {
     struct acm_policy_buffer *pol = (struct acm_policy_buffer *) buf;
-
+    char *policy_reference_name =
+        (buf + ntohl(pol->policy_reference_offset) +
+         sizeof(struct acm_policy_reference_buffer));
     printf("\nPolicy dump:\n");
     printf("============\n");
+    printf("POLICY REFERENCE = %s.\n", policy_reference_name);
     printf("PolicyVer = %x.\n", ntohl(pol->policy_version));
     printf("Magic     = %x.\n", ntohl(pol->magic));
     printf("Len       = %x.\n", ntohl(pol->len));
@@ -227,8 +220,7 @@ void acm_dump_policy_buffer(void *buf, i
            ACM_POLICY_NAME(ntohl(pol->secondary_policy_code)),
            ntohl(pol->secondary_policy_code),
            ntohl(pol->secondary_buffer_offset));
-    switch (ntohl(pol->primary_policy_code))
-    {
+    switch (ntohl(pol->primary_policy_code)) {
     case ACM_CHINESE_WALL_POLICY:
         acm_dump_chinesewall_buffer(buf +
                                     ntohl(pol->primary_buffer_offset),
@@ -250,8 +242,7 @@ void acm_dump_policy_buffer(void *buf, i
         printf("UNKNOWN POLICY!\n");
     }
 
-    switch (ntohl(pol->secondary_policy_code))
-    {
+    switch (ntohl(pol->secondary_policy_code)) {
     case ACM_CHINESE_WALL_POLICY:
         acm_dump_chinesewall_buffer(buf +
                                     ntohl(pol->secondary_buffer_offset),
@@ -303,26 +294,22 @@ int acm_domain_loadpolicy(int xc_handle,
     off_t len;
     uint8_t *buffer;
 
-    if ((ret = stat(filename, &mystat)))
-    {
+    if ((ret = stat(filename, &mystat))) {
         printf("File %s not found.\n", filename);
         goto out;
     }
 
     len = mystat.st_size;
-    if ((buffer = malloc(len)) == NULL)
-    {
+    if ((buffer = malloc(len)) == NULL) {
         ret = -ENOMEM;
         goto out;
     }
-    if ((fd = open(filename, O_RDONLY)) <= 0)
-    {
+    if ((fd = open(filename, O_RDONLY)) <= 0) {
         ret = -ENOENT;
         printf("File %s not found.\n", filename);
         goto free_out;
     }
-    if (len == read(fd, buffer, len))
-    {
+    if (len == read(fd, buffer, len)) {
         struct acm_op op;
         /* dump it and then push it down into xen/acm */
         acm_dump_policy_buffer(buffer, len);
@@ -334,7 +321,7 @@ int acm_domain_loadpolicy(int xc_handle,
 
         if (ret)
             printf
-                ("ERROR setting policy. Try 'xm dmesg' to see details.\n");
+                ("ERROR setting policy.\n");
         else
             printf("Successfully changed policy.\n");
 
@@ -382,9 +369,9 @@ int acm_domain_dumpstats(int xc_handle)
     op.u.dumpstats.pullcache_size = sizeof(stats_buffer);
     ret = do_acm_op(xc_handle, &op);
 
-    if (ret < 0)
-    {
-        printf("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n");
+    if (ret < 0) {
+        printf
+            ("ERROR dumping policy stats. Try 'xm dmesg' to see details.\n");
         return ret;
     }
     stats = (struct acm_stats_buffer *) stats_buffer;
@@ -394,8 +381,7 @@ int acm_domain_dumpstats(int xc_handle)
     printf("Magic     = %x.\n", ntohl(stats->magic));
     printf("Len       = %x.\n", ntohl(stats->len));
 
-    switch (ntohl(stats->primary_policy_code))
-    {
+    switch (ntohl(stats->primary_policy_code)) {
     case ACM_NULL_POLICY:
         printf("NULL Policy: No statistics apply.\n");
         break;
@@ -414,8 +400,7 @@ int acm_domain_dumpstats(int xc_handle)
         printf("UNKNOWN PRIMARY POLICY ERROR!\n");
     }
 
-    switch (ntohl(stats->secondary_policy_code))
-    {
+    switch (ntohl(stats->secondary_policy_code)) {
     case ACM_NULL_POLICY:
         printf("NULL Policy: No statistics apply.\n");
         break;
@@ -435,119 +420,6 @@ int acm_domain_dumpstats(int xc_handle)
     }
     return ret;
 }
-/************************ get ssidref & types ******************************/
-/*
- * the ssid (types) can be looked up either by domain id or by ssidref
- */
-int acm_domain_getssid(int xc_handle, int argc, char * const argv[])
-{
-    /* this includes header and a set of types */
-    #define MAX_SSIDBUFFER  2000
-    int ret, i;
-    struct acm_op op;
-    struct acm_ssid_buffer *hdr;
-    unsigned char *buf;
-       int nice_print = 1;
-
-    op.cmd = ACM_GETSSID;
-    op.interface_version = ACM_INTERFACE_VERSION;
-       op.u.getssid.get_ssid_by = UNSET;
-       /* arguments
-          -d ... domain id to look up
-          -s ... ssidref number to look up
-          -f ... formatted print (scripts depend on this format)
-       */
-       while (1)
-    {
-               int c = getopt(argc, argv, "d:s:f");
-               if (c == -1)
-                       break;
-               if (c == 'd')
-        {
-                       if (op.u.getssid.get_ssid_by != UNSET)
-                               usage(argv[0]);
-                       op.u.getssid.get_ssid_by = DOMAINID;
-                       op.u.getssid.id.domainid = strtoul(optarg, NULL, 0);
-               }
-               else if (c== 's')
-        {
-                       if (op.u.getssid.get_ssid_by != UNSET)
-                               usage(argv[0]);
-                       op.u.getssid.get_ssid_by = SSIDREF;
-                       op.u.getssid.id.ssidref = strtoul(optarg, NULL, 0);
-               }
-               else if (c== 'f')
-               {
-                       nice_print = 0;
-               }
-               else
-                       usage(argv[0]);
-       }
-       if (op.u.getssid.get_ssid_by == UNSET)
-               usage(argv[0]);
-
-       buf = malloc(MAX_SSIDBUFFER);
-    if (!buf)
-        return -ENOMEM;
-
-    /* dump it and then push it down into xen/acm */
-    op.u.getssid.ssidbuf = buf;   /* out */
-    op.u.getssid.ssidbuf_size = MAX_SSIDBUFFER;
-    ret = do_acm_op(xc_handle, &op);
-
-    if (ret)
-    {
-        printf("ERROR getting ssidref. Try 'xm dmesg' to see details.\n");
-        goto out;
-    }
-    hdr = (struct acm_ssid_buffer *)buf;
-    if (hdr->len > MAX_SSIDBUFFER)
-    {
-        printf("ERROR: Buffer length inconsistent (ret=%d, hdr->len=%d)!\n",
-               ret, hdr->len);
-            return -EIO;
-    }
-       if (nice_print)
-    {
-               printf("SSID: ssidref = 0x%08x \n", hdr->ssidref);
-               printf("      P: %s, max_types = %d\n",
-                          ACM_POLICY_NAME(hdr->primary_policy_code), 
hdr->primary_max_types);
-               printf("          Types: ");
-               for (i=0; i< hdr->primary_max_types; i++)
-                       if (buf[hdr->primary_types_offset + i])
-                               printf("%02x ", i);
-                       else
-                               printf("-- ");
-               printf("\n");
-
-               printf("      S: %s, max_types = %d\n",
-                          ACM_POLICY_NAME(hdr->secondary_policy_code), 
hdr->secondary_max_types);
-               printf("          Types: ");
-               for (i=0; i< hdr->secondary_max_types; i++)
-                       if (buf[hdr->secondary_types_offset + i])
-                               printf("%02x ", i);
-                       else
-                               printf("-- ");
-               printf("\n");
-       }
-       else
-    {
-               /* formatted print for use with scripts (.sh)
-                *  update scripts when updating here (usually
-                *  used in combination with -d to determine a
-                *  running domain's label
-                */
-               printf("SSID: ssidref = 0x%08x \n", hdr->ssidref);
-       }
-
-    /* return ste ssidref */
-    if (hdr->primary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
-        ret = (hdr->ssidref) & 0xffff;
-    else if (hdr->secondary_policy_code == ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
-        ret = (hdr->ssidref) >> 16;
- out:
-    return ret;
-}
 
 /***************************** main **************************************/
 
@@ -559,8 +431,7 @@ int main(int argc, char **argv)
     if (argc < 2)
         usage(argv[0]);
 
-    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0)
-    {
+    if ((acm_cmd_fd = open("/proc/xen/privcmd", O_RDONLY)) <= 0) {
         printf("ERROR: Could not open xen privcmd device!\n");
         exit(-1);
     }
@@ -577,8 +448,6 @@ int main(int argc, char **argv)
         if (argc != 2)
             usage(argv[0]);
         ret = acm_domain_dumpstats(acm_cmd_fd);
-    } else if (!strcmp(argv[1], "getssid")) {
-        ret = acm_domain_getssid(acm_cmd_fd, argc, argv);
     } else
         usage(argv[0]);
 
diff -r 0a5183b3e7bb -r ad30019015a2 tools/security/secpol_xml2bin.c
--- a/tools/security/secpol_xml2bin.c   Mon Apr 24 10:51:20 2006 +0100
+++ b/tools/security/secpol_xml2bin.c   Mon Apr 24 10:51:50 2006 +0100
@@ -101,22 +101,30 @@ int have_chwall = 0;
 
 /* input/output file names */
 char *policy_filename = NULL,
-    *label_filename = NULL,
-    *binary_filename = NULL, *mapping_filename = NULL,
-    *schema_filename = NULL;
+    *binary_filename = NULL,
+    *mapping_filename = NULL, *schema_filename = NULL;
+
+char *policy_reference_name = NULL;
+
+void walk_labels(xmlNode * start, xmlDocPtr doc, unsigned long state);
 
 void usage(char *prg)
 {
     printf("Usage: %s [OPTIONS] POLICYNAME\n", prg);
-    printf("POLICYNAME is the directory name within the policy directory\n");
-    printf("that contains the policy files.  The default policy directory\n");
-    printf("is '%s' (see the '-d' option below to change it)\n", POLICY_DIR);
-    printf("The policy files contained in the POLICYNAME directory must be 
named:\n");
+    printf
+        ("POLICYNAME is the directory name within the policy directory\n");
+    printf
+        ("that contains the policy files.  The default policy directory\n");
+    printf("is '%s' (see the '-d' option below to change it)\n",
+           POLICY_DIR);
+    printf
+        ("The policy files contained in the POLICYNAME directory must be 
named:\n");
     printf("\tPOLICYNAME-security_policy.xml\n");
     printf("\tPOLICYNAME-security_label_template.xml\n\n");
     printf("OPTIONS:\n");
     printf("\t-d POLICYDIR\n");
-    printf("\t\tUse POLICYDIR as the policy directory. This directory must 
contain\n");
+    printf
+        ("\t\tUse POLICYDIR as the policy directory. This directory must 
contain\n");
     printf("\t\tthe policy schema file 'security_policy.xsd'\n");
     exit(EXIT_FAILURE);
 }
@@ -147,8 +155,7 @@ int add_entry(struct tailhead *head, cha
 int add_entry(struct tailhead *head, char *name, type_t mapping)
 {
     struct type_entry *e;
-    if (lookup(head, name))
-    {
+    if (lookup(head, name)) {
         printf("Error: Type >%s< defined more than once.\n", name);
         return -EFAULT;         /* already in the list */
     }
@@ -204,16 +211,14 @@ int register_type(xmlNode * cur_node, xm
 
 
     text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
-    if (!text)
-    {
+    if (!text) {
         printf("Error reading type name!\n");
         return -EFAULT;
     }
 
     switch (state) {
     case XML2BIN_stetype_S:
-        if (add_entry(&ste_head, (char *) text, max_ste_types))
-        {
+        if (add_entry(&ste_head, (char *) text, max_ste_types)) {
             xmlFree(text);
             return -EFAULT;
         }
@@ -221,8 +226,7 @@ int register_type(xmlNode * cur_node, xm
         break;
 
     case XML2BIN_chwalltype_S:
-        if (add_entry(&chwall_head, (char *) text, max_chwall_types))
-        {
+        if (add_entry(&chwall_head, (char *) text, max_chwall_types)) {
             xmlFree(text);
             return -EFAULT;
         }
@@ -232,16 +236,15 @@ int register_type(xmlNode * cur_node, xm
     case XML2BIN_conflictsettype_S:
         /* a) search the type in the chwall_type list */
         e = lookup(&chwall_head, (char *) text);
-        if (e == NULL)
-        {
+        if (e == NULL) {
             printf("CS type >%s< not a CHWALL type.\n", text);
             xmlFree(text);
             return -EFAULT;
         }
         /* b) add type entry to the current cs set */
-        if (current_conflictset_p->row[e->mapping])
-        {
-            printf("ERROR: Double entry of type >%s< in conflict set %d.\n",
+        if (current_conflictset_p->row[e->mapping]) {
+            printf
+                ("ERROR: Double entry of type >%s< in conflict set %d.\n",
                  text, current_conflictset_p->num);
             xmlFree(text);
             return -EFAULT;
@@ -262,16 +265,15 @@ void set_component_type(xmlNode * cur_no
 {
     xmlChar *order;
 
-    if ((order = xmlGetProp(cur_node, (xmlChar *) 
PRIMARY_COMPONENT_ATTR_NAME))) {
-        if (strcmp((char *) order, PRIMARY_COMPONENT))
-        {
+    if ((order =
+         xmlGetProp(cur_node, (xmlChar *) PRIMARY_COMPONENT_ATTR_NAME))) {
+        if (strcmp((char *) order, PRIMARY_COMPONENT)) {
             printf("ERROR: Illegal attribut value >order=%s<.\n",
                    (char *) order);
             xmlFree(order);
             exit(EXIT_FAILURE);
         }
-        if (primary != NULLPOLICY)
-        {
+        if (primary != NULLPOLICY) {
             printf("ERROR: Primary Policy Component set twice!\n");
             exit(EXIT_FAILURE);
         }
@@ -285,10 +287,8 @@ void walk_policy(xmlNode * start, xmlDoc
     xmlNode *cur_node = NULL;
     int code;
 
-    for (cur_node = start; cur_node; cur_node = cur_node->next)
-    {
-        if ((code = totoken((char *) cur_node->name)) < 0)
-        {
+    for (cur_node = start; cur_node; cur_node = cur_node->next) {
+        if ((code = totoken((char *) cur_node->name)) < 0) {
             printf("Unknown token: >%s<. Aborting.\n", cur_node->name);
             exit(EXIT_FAILURE);
         }
@@ -297,13 +297,32 @@ void walk_policy(xmlNode * start, xmlDoc
         case XML2BIN_STETYPES:
         case XML2BIN_CHWALLTYPES:
         case XML2BIN_CONFLICTSETS:
+        case XML2BIN_POLICYHEADER:
             walk_policy(cur_node->children, doc, state | (1 << code));
             break;
 
+        case XML2BIN_POLICYNAME:       /* get policy reference name .... */
+            if (state != XML2BIN_PN_S) {
+                printf("ERROR: >Url< >%s< out of context.\n",
+                       (char *) xmlNodeListGetString(doc,
+                                                     cur_node->
+                                                     xmlChildrenNode, 1));
+                exit(EXIT_FAILURE);
+            }
+            policy_reference_name = (char *)
+                xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
+            if (!policy_reference_name) {
+                printf("ERROR: empty >policy reference name (Url)<!\n");
+                exit(EXIT_FAILURE);
+            } else
+                printf("Policy Reference name (Url): %s\n",
+                       policy_reference_name);
+            break;
+
         case XML2BIN_STE:
-            if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION)
-            {
-                printf("ERROR: This program was written against another STE 
version.\n");
+            if (WRITTEN_AGAINST_ACM_STE_VERSION != ACM_STE_VERSION) {
+                printf
+                    ("ERROR: This program was written against another STE 
version.\n");
                 exit(EXIT_FAILURE);
             }
             have_ste = 1;
@@ -312,9 +331,9 @@ void walk_policy(xmlNode * start, xmlDoc
             break;
 
         case XML2BIN_CHWALL:
-            if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION)
-            {
-                printf("ERROR: This program was written against another CHWALL 
version.\n");
+            if (WRITTEN_AGAINST_ACM_CHWALL_VERSION != ACM_CHWALL_VERSION) {
+                printf
+                    ("ERROR: This program was written against another CHWALL 
version.\n");
                 exit(EXIT_FAILURE);
             }
             have_chwall = 1;
@@ -328,8 +347,7 @@ void walk_policy(xmlNode * start, xmlDoc
             if (!current_conflictset_name)
                 current_conflictset_name = "";
 
-            if (init_next_conflictset())
-            {
+            if (init_next_conflictset()) {
                 printf
                     ("ERROR: creating new conflictset structure failed.\n");
                 exit(EXIT_FAILURE);
@@ -343,14 +361,18 @@ void walk_policy(xmlNode * start, xmlDoc
             /* type leaf */
             break;
 
+        case XML2BIN_LABELTEMPLATE:    /* handle in second pass */
         case XML2BIN_TEXT:
         case XML2BIN_COMMENT:
-        case XML2BIN_POLICYHEADER:
+        case XML2BIN_DATE:
+        case XML2BIN_REFERENCE:
+        case XML2BIN_NSURL:    /* for future use: where to find global label / 
type name mappings */
+        case XML2BIN_URL:      /* for future use: where to find policy */
             /* leaf - nothing to do */
             break;
 
         default:
-            printf("Unkonwn token Error (%d)\n", code);
+            printf("Unkonwn token Error (%d) in Policy\n", code);
             exit(EXIT_FAILURE);
         }
 
@@ -358,21 +380,21 @@ void walk_policy(xmlNode * start, xmlDoc
     return;
 }
 
-int create_type_mapping(xmlDocPtr doc)
-{
-    xmlNode *root_element = xmlDocGetRootElement(doc);
-    struct type_entry *te;
-    struct ssid_entry *se;
-    int i;
-
+void init_type_mapping(void)
+{
     printf("Creating ssid mappings ...\n");
 
     /* initialize the ste and chwall type lists */
     TAILQ_INIT(&ste_head);
     TAILQ_INIT(&chwall_head);
     TAILQ_INIT(&conflictsets_head);
-
-    walk_policy(root_element, doc, XML2BIN_NULL);
+}
+
+void post_type_mapping(void)
+{
+    struct type_entry *te;
+    struct ssid_entry *se;
+    int i;
 
     /* determine primary/secondary policy component orders */
     if ((primary == NULLPOLICY) && have_chwall)
@@ -400,19 +422,17 @@ int create_type_mapping(xmlDocPtr doc)
     }
 
     if (!DEBUG)
-        return 0;
+        return;
 
     /* print queues */
-    if (have_ste)
-    {
+    if (have_ste) {
         printf("STE-Type queue (%s):\n",
                (primary == STE) ? "PRIMARY" : "SECONDARY");
         for (te = ste_head.tqh_first; te != NULL;
              te = te->entries.tqe_next)
             printf("name=%22s, map=%x\n", te->name, te->mapping);
     }
-    if (have_chwall)
-    {
+    if (have_chwall) {
         printf("CHWALL-Type queue (%s):\n",
                (primary == CHWALL) ? "PRIMARY" : "SECONDARY");
         for (te = chwall_head.tqh_first; te != NULL;
@@ -421,8 +441,7 @@ int create_type_mapping(xmlDocPtr doc)
 
         printf("Conflictset queue (max=%d):\n", max_conflictsets);
         for (se = conflictsets_head.tqh_first; se != NULL;
-             se = se->entries.tqe_next)
-        {
+             se = se->entries.tqe_next) {
             printf("conflictset name >%s<\n",
                    se->name ? se->name : "NONAME");
             for (i = 0; i < max_chwall_types; i++)
@@ -431,7 +450,6 @@ int create_type_mapping(xmlDocPtr doc)
             printf("\n");
         }
     }
-    return 0;
 }
 
 
@@ -554,8 +572,7 @@ int add_type(xmlNode * cur_node, xmlDocP
     struct type_entry *e;
 
     text = xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
-    if (!text)
-    {
+    if (!text) {
         printf("Error reading type name!\n");
         return -EFAULT;
     }
@@ -564,8 +581,7 @@ int add_type(xmlNode * cur_node, xmlDocP
     case XML2BIN_VM_STE_S:
     case XML2BIN_RES_STE_S:
         /* lookup the type mapping and include the type mapping into the array 
*/
-        if (!(e = lookup(&ste_head, (char *) text)))
-        {
+        if (!(e = lookup(&ste_head, (char *) text))) {
             printf("ERROR: unknown VM STE type >%s<.\n", text);
             exit(EXIT_FAILURE);
         }
@@ -577,8 +593,7 @@ int add_type(xmlNode * cur_node, xmlDocP
 
     case XML2BIN_VM_CHWALL_S:
         /* lookup the type mapping and include the type mapping into the array 
*/
-        if (!(e = lookup(&chwall_head, (char *) text)))
-        {
+        if (!(e = lookup(&chwall_head, (char *) text))) {
             printf("ERROR: unknown VM CHWALL type >%s<.\n", text);
             exit(EXIT_FAILURE);
         }
@@ -602,8 +617,9 @@ void set_bootstrap_label(xmlNode * cur_n
 {
     xmlChar *order;
 
-    if ((order = xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
-        bootstrap_label = (char *)order;
+    if ((order =
+         xmlGetProp(cur_node, (xmlChar *) BOOTSTRAP_LABEL_ATTR_NAME)))
+        bootstrap_label = (char *) order;
     else {
         printf("ERROR: No bootstrap label defined!\n");
         exit(EXIT_FAILURE);
@@ -615,45 +631,40 @@ void walk_labels(xmlNode * start, xmlDoc
     xmlNode *cur_node = NULL;
     int code;
 
-    for (cur_node = start; cur_node; cur_node = cur_node->next)
-    {
-        if ((code = totoken((char *) cur_node->name)) < 0)
-        {
+    for (cur_node = start; cur_node; cur_node = cur_node->next) {
+        if ((code = totoken((char *) cur_node->name)) < 0) {
             printf("Unkonwn token: >%s<. Aborting.\n", cur_node->name);
             exit(EXIT_FAILURE);
         }
         switch (code) {         /* adjust state to new state */
-
         case XML2BIN_SUBJECTS:
             set_bootstrap_label(cur_node);
             /* fall through */
+        case XML2BIN_SECPOL:
+        case XML2BIN_LABELTEMPLATE:
         case XML2BIN_VM:
         case XML2BIN_RES:
-        case XML2BIN_SECTEMPLATE:
         case XML2BIN_OBJECTS:
             walk_labels(cur_node->children, doc, state | (1 << code));
             break;
 
         case XML2BIN_STETYPES:
             /* create new ssid entry to use and point current to it */
-            if (init_next_ste_ssid(state))
-            {
+            if (init_next_ste_ssid(state)) {
                 printf("ERROR: creating new ste ssid structure failed.\n");
                 exit(EXIT_FAILURE);
             }
             walk_labels(cur_node->children, doc, state | (1 << code));
-
             break;
 
         case XML2BIN_CHWALLTYPES:
             /* create new ssid entry to use and point current to it */
-            if (init_next_chwall_ssid(state))
-            {
-                printf("ERROR: creating new chwall ssid structure failed.\n");
+            if (init_next_chwall_ssid(state)) {
+                printf
+                    ("ERROR: creating new chwall ssid structure failed.\n");
                 exit(EXIT_FAILURE);
             }
             walk_labels(cur_node->children, doc, state | (1 << code));
-
             break;
 
         case XML2BIN_TYPE:
@@ -663,115 +674,66 @@ void walk_labels(xmlNode * start, xmlDoc
             break;
 
         case XML2BIN_NAME:
-            if ((state != XML2BIN_VM_S) && (state != XML2BIN_RES_S))
-            {
-                printf("ERROR: >name< out of VM/RES context.\n");
+            if ((state == XML2BIN_VM_S) || (state == XML2BIN_RES_S)) {
+                current_ssid_name = (char *)
+                    xmlNodeListGetString(doc, cur_node->xmlChildrenNode,
+                                         1);
+                if (!current_ssid_name) {
+                    printf("ERROR: empty >vm/res name<!\n");
+                    exit(EXIT_FAILURE);
+                }
+            } else {
+                printf
+                    ("ERROR: >name< >%s< out of context (state = 0x%lx.\n",
+                     (char *) xmlNodeListGetString(doc,
+                                                   cur_node->
+                                                   xmlChildrenNode, 1),
+                     state);
                 exit(EXIT_FAILURE);
             }
-            current_ssid_name = (char *)
-                xmlNodeListGetString(doc, cur_node->xmlChildrenNode, 1);
-
-            if (!current_ssid_name)
-            {
-                printf("ERROR: empty >name<!\n");
-                exit(EXIT_FAILURE);
-            }
             break;
 
         case XML2BIN_TEXT:
         case XML2BIN_COMMENT:
-        case XML2BIN_LABELHEADER:
+        case XML2BIN_POLICYHEADER:
+        case XML2BIN_STE:
+        case XML2BIN_CHWALL:
             break;
 
         default:
-            printf("Unkonwn token Error (%d)\n", code);
+            printf("Unkonwn token Error (%d) in Label Template\n", code);
             exit(EXIT_FAILURE);
         }
-
     }
     return;
-}
-
-/* this function walks through a ssid queue
- * and transforms double entries into references
- * of the first definition (we need to keep the
- * entry to map labels but we don't want double
- * ssids in the binary policy
- */
-void
-remove_doubles(struct tailhead_ssid *head,
-                        u_int32_t max_types, u_int32_t * max_ssids)
-{
-    struct ssid_entry *np, *ni;
-
-    /* walk once through the list */
-    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
-    {
-        /* now search from the start until np for the same entry */
-        for (ni = head->tqh_first; ni != np; ni = ni->entries.tqe_next)
-        {
-            if (ni->is_ref)
-                continue;
-            if (memcmp(np->row, ni->row, max_types))
-                continue;
-            /* found one, set np reference to ni */
-            np->is_ref = 1;
-            np->num = ni->num;
-            (*max_ssids)--;
-        }
-    }
-
-    /* now minimize the ssid numbers used (doubles introduce holes) */
-    (*max_ssids) = 0; /* reset */
-
-    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
-    {
-        if (np->is_ref)
-            continue;
-
-        if (np->num != (*max_ssids)) {
-                /* first reset all later references to the new max_ssid */
-                for (ni = np->entries.tqe_next; ni != NULL; ni = 
ni->entries.tqe_next)
-                {
-                    if (ni->num == np->num)
-                        ni->num = (*max_ssids);
-                }
-                /* now reset num */
-                np->num = (*max_ssids)++;
-        }
-        else
-            (*max_ssids)++;
-    }
 }
 
 /*
  * will go away as soon as we have non-static bootstrap ssidref for dom0
  */
 void fixup_bootstrap_label(struct tailhead_ssid *head,
-                         u_int32_t max_types, u_int32_t * max_ssids)
+                           u_int32_t max_types, u_int32_t * max_ssids)
 {
     struct ssid_entry *np;
     int i;
 
     /* should not happen if xml / xsd checks work */
-    if (!bootstrap_label)
-    {
+    if (!bootstrap_label) {
         printf("ERROR: No bootstrap label defined.\n");
         exit(EXIT_FAILURE);
     }
 
     /* search bootstrap_label */
-    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next)
-    {
-        if (!strcmp(np->name, bootstrap_label))
-        {
+    for (np = head->tqh_first; np != NULL; np = np->entries.tqe_next) {
+        if (!strcmp(np->name, bootstrap_label)) {
             break;
         }
     }
 
     if (!np) {
         /* bootstrap label not found */
-        printf("ERROR: Bootstrap label >%s< not found.\n", bootstrap_label);
+        printf("ERROR: Bootstrap label >%s< not found.\n",
+               bootstrap_label);
         exit(EXIT_FAILURE);
     }
 
@@ -781,16 +743,14 @@ void fixup_bootstrap_label(struct tailhe
     TAILQ_INSERT_AFTER(head, head->tqh_first, np, entries);
 
     /* renumber the ssids (we could also just switch places with 1st element) 
*/
-    for (np = head->tqh_first, i=0; np != NULL; np = np->entries.tqe_next, i++)
-        np->num   = i;
-
-}
-
-int create_ssid_mapping(xmlDocPtr doc)
-{
-    xmlNode *root_element = xmlDocGetRootElement(doc);
-    struct ssid_entry *np;
-    int i;
+    for (np = head->tqh_first, i = 0; np != NULL;
+         np = np->entries.tqe_next, i++)
+        np->num = i;
+
+}
+
+void init_label_mapping(void)
+{
 
     printf("Creating label mappings ...\n");
     /* initialize the ste and chwall type lists */
@@ -798,14 +758,16 @@ int create_ssid_mapping(xmlDocPtr doc)
     TAILQ_INIT(&ste_ssid_head);
 
     /* init with default ssids */
-    if (init_ssid_queues())
-    {
+    if (init_ssid_queues()) {
         printf("ERROR adding default ssids.\n");
         exit(EXIT_FAILURE);
     }
-
-    /* now walk the template DOM tree and fill in ssids */
-    walk_labels(root_element, doc, XML2BIN_NULL);
+}
+
+void post_label_mapping(void)
+{
+    struct ssid_entry *np;
+    int i;
 
     /*
      * now sort bootstrap label to the head of the list
@@ -814,30 +776,20 @@ int create_ssid_mapping(xmlDocPtr doc)
      */
     if (have_chwall)
         fixup_bootstrap_label(&chwall_ssid_head, max_chwall_types,
-                                &max_chwall_ssids);
+                              &max_chwall_ssids);
     if (have_ste)
         fixup_bootstrap_label(&ste_ssid_head, max_ste_types,
-                                &max_ste_ssids);
-
-    /* remove any double entries (insert reference instead) */
-    if (have_chwall)
-        remove_doubles(&chwall_ssid_head, max_chwall_types,
-                       &max_chwall_ssids);
-    if (have_ste)
-        remove_doubles(&ste_ssid_head, max_ste_types,
-                       &max_ste_ssids);
+                              &max_ste_ssids);
 
     if (!DEBUG)
-        return 0;
+        return;
 
     /* print queues */
-    if (have_chwall)
-    {
+    if (have_chwall) {
         printf("CHWALL SSID queue (max ssidrefs=%d):\n", max_chwall_ssids);
         np = NULL;
         for (np = chwall_ssid_head.tqh_first; np != NULL;
-             np = np->entries.tqe_next)
-        {
+             np = np->entries.tqe_next) {
             printf("SSID #%02u (Label=%s)\n", np->num, np->name);
             if (np->is_ref)
                 printf("REFERENCE");
@@ -848,13 +800,11 @@ int create_ssid_mapping(xmlDocPtr doc)
             printf("\n\n");
         }
     }
-    if (have_ste)
-    {
+    if (have_ste) {
         printf("STE SSID queue (max ssidrefs=%d):\n", max_ste_ssids);
         np = NULL;
         for (np = ste_ssid_head.tqh_first; np != NULL;
-             np = np->entries.tqe_next)
-        {
+             np = np->entries.tqe_next) {
             printf("SSID #%02u (Label=%s)\n", np->num, np->name);
             if (np->is_ref)
                 printf("REFERENCE");
@@ -865,7 +815,19 @@ int create_ssid_mapping(xmlDocPtr doc)
             printf("\n\n");
         }
     }
-    return 0;
+}
+
+void create_mappings(xmlDocPtr doc)
+{
+    xmlNode *doc_root_node = xmlDocGetRootElement(doc);
+
+    /* walk the XML policy tree and fill in types and labels */
+    init_type_mapping();
+    walk_policy(doc_root_node, doc, XML2BIN_NULL);      /* first pass: types */
+    post_type_mapping();
+    init_label_mapping();
+    walk_labels(doc_root_node, doc, XML2BIN_NULL);      /* second pass: labels 
*/
+    post_label_mapping();
 }
 
 /***************** writing the binary policy *********************/
@@ -888,19 +850,16 @@ int write_mapping(char *filename)
     if ((file = fopen(filename, "w")) == NULL)
         return -EIO;
 
+    fprintf(file, "POLICYREFERENCENAME    %s\n", policy_reference_name);
     fprintf(file, "MAGIC                  %08x\n", ACM_MAGIC);
-    fprintf(file, "POLICY                 %s\n",
-            basename(policy_filename));
-    fprintf(file, "BINARY                 %s\n",
-            basename(binary_filename));
-    if (have_chwall)
-    {
+    fprintf(file, "POLICY FILE            %s\n", policy_filename);
+    fprintf(file, "BINARY FILE            %s\n", binary_filename);
+    if (have_chwall) {
         fprintf(file, "MAX-CHWALL-TYPES       %08x\n", max_chwall_types);
         fprintf(file, "MAX-CHWALL-SSIDS       %08x\n", max_chwall_ssids);
         fprintf(file, "MAX-CHWALL-LABELS      %08x\n", max_chwall_labels);
     }
-    if (have_ste)
-    {
+    if (have_ste) {
         fprintf(file, "MAX-STE-TYPES          %08x\n", max_ste_types);
         fprintf(file, "MAX-STE-SSIDS          %08x\n", max_ste_ssids);
         fprintf(file, "MAX-STE-LABELS         %08x\n", max_ste_labels);
@@ -939,11 +898,9 @@ int write_mapping(char *filename)
     fprintf(file, "\n");
 
     /* first labels to ssid mappings */
-    if (have_chwall)
-    {
+    if (have_chwall) {
         for (e = chwall_ssid_head.tqh_first; e != NULL;
-             e = e->entries.tqe_next)
-        {
+             e = e->entries.tqe_next) {
             fprintf(file, "LABEL->SSID %s CHWALL %-25s %8x\n",
                     (e->type ==
                      VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
@@ -951,11 +908,9 @@ int write_mapping(char *filename)
         }
         fprintf(file, "\n");
     }
-    if (have_ste)
-    {
+    if (have_ste) {
         for (e = ste_ssid_head.tqh_first; e != NULL;
-             e = e->entries.tqe_next)
-        {
+             e = e->entries.tqe_next) {
             fprintf(file, "LABEL->SSID %s STE    %-25s %8x\n",
                     (e->type ==
                      VM) ? "VM " : ((e->type == RES) ? "RES" : "ANY"),
@@ -965,11 +920,9 @@ int write_mapping(char *filename)
     }
 
     /* second ssid to type mappings */
-    if (have_chwall)
-    {
+    if (have_chwall) {
         for (e = chwall_ssid_head.tqh_first; e != NULL;
-             e = e->entries.tqe_next)
-        {
+             e = e->entries.tqe_next) {
             if (e->is_ref)
                 continue;
 
@@ -985,8 +938,7 @@ int write_mapping(char *filename)
     }
     if (have_ste) {
         for (e = ste_ssid_head.tqh_first; e != NULL;
-             e = e->entries.tqe_next)
-        {
+             e = e->entries.tqe_next) {
             if (e->is_ref)
                 continue;
 
@@ -1001,18 +953,15 @@ int write_mapping(char *filename)
         fprintf(file, "\n");
     }
     /* third type mappings */
-    if (have_chwall)
-    {
-        for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next)
-        {
+    if (have_chwall) {
+        for (t = chwall_head.tqh_first; t != NULL; t = t->entries.tqe_next) {
             fprintf(file, "TYPE CHWALL            %-25s %8x\n",
                     t->name, t->mapping);
         }
         fprintf(file, "\n");
     }
     if (have_ste) {
-        for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next)
-        {
+        for (t = ste_head.tqh_first; t != NULL; t = t->entries.tqe_next) {
             fprintf(file, "TYPE STE               %-25s %8x\n",
                     t->name, t->mapping);
         }
@@ -1021,6 +970,38 @@ int write_mapping(char *filename)
     fclose(file);
     return 0;
 }
+
+
+unsigned char *write_policy_reference_binary(u_int32_t * len_pr)
+{
+    unsigned char *buf, *ptr;
+    struct acm_policy_reference_buffer *pr_header;
+    u_int32_t len;
+
+    if (policy_reference_name == NULL) {
+        printf("ERROR: No policy reference name found.\n");
+        exit(EXIT_FAILURE);
+    }
+    len = (sizeof(struct acm_policy_reference_buffer) +
+           strlen(policy_reference_name) + 1);
+    buf = malloc(len);
+    ptr = buf;
+
+    if (!buf) {
+        printf
+            ("ERROR: out of memory allocating label reference buffer.\n");
+        exit(EXIT_FAILURE);
+    }
+    pr_header = (struct acm_policy_reference_buffer *) buf;
+    pr_header->len =
+        htonl(strlen(policy_reference_name) + 1 /* strend \'0' */ );
+    ptr += sizeof(struct acm_policy_reference_buffer);
+    strcpy((char *) ptr, policy_reference_name);
+
+    (*len_pr) = len;
+    return buf;
+}
+
 
 unsigned char *write_chwall_binary(u_int32_t * len_chwall)
 {
@@ -1040,8 +1021,7 @@ unsigned char *write_chwall_binary(u_int
     buf = malloc(len);
     ptr = buf;
 
-    if (!buf)
-    {
+    if (!buf) {
         printf("ERROR: out of memory allocating chwall buffer.\n");
         exit(EXIT_FAILURE);
     }
@@ -1058,14 +1038,13 @@ unsigned char *write_chwall_binary(u_int
     chwall_header->chwall_conflict_sets_offset =
         htonl(ntohl(chwall_header->chwall_ssid_offset) +
               sizeof(domaintype_t) * max_chwall_ssids * max_chwall_types);
-    chwall_header->chwall_running_types_offset = 0;     /* not set, only 
retrieved */
-    chwall_header->chwall_conflict_aggregate_offset = 0;        /* not set, 
only retrieved */
+    chwall_header->chwall_running_types_offset = 0;
+    chwall_header->chwall_conflict_aggregate_offset = 0;
     ptr += sizeof(struct acm_chwall_policy_buffer);
 
     /* types */
     for (e = chwall_ssid_head.tqh_first; e != NULL;
-         e = e->entries.tqe_next)
-    {
+         e = e->entries.tqe_next) {
         if (e->is_ref)
             continue;
 
@@ -1077,16 +1056,14 @@ unsigned char *write_chwall_binary(u_int
 
     /* conflictsets */
     for (e = conflictsets_head.tqh_first; e != NULL;
-         e = e->entries.tqe_next)
-    {
+         e = e->entries.tqe_next) {
         for (i = 0; i < max_chwall_types; i++)
             ((type_t *) ptr)[i] = htons((type_t) e->row[i]);
 
         ptr += sizeof(type_t) * max_chwall_types;
     }
 
-    if ((ptr - buf) != len)
-    {
+    if ((ptr - buf) != len) {
         printf("ERROR: wrong lengths in %s.\n", __func__);
         exit(EXIT_FAILURE);
     }
@@ -1112,8 +1089,7 @@ unsigned char *write_ste_binary(u_int32_
     buf = malloc(len);
     ptr = buf;
 
-    if (!buf)
-    {
+    if (!buf) {
         printf("ERROR: out of memory allocating chwall buffer.\n");
         exit(EXIT_FAILURE);
     }
@@ -1130,8 +1106,7 @@ unsigned char *write_ste_binary(u_int32_
     ptr += sizeof(struct acm_ste_policy_buffer);
 
     /* types */
-    for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next)
-    {
+    for (e = ste_ssid_head.tqh_first; e != NULL; e = e->entries.tqe_next) {
         if (e->is_ref)
             continue;
 
@@ -1141,8 +1116,7 @@ unsigned char *write_ste_binary(u_int32_
         ptr += sizeof(type_t) * max_ste_types;
     }
 
-    if ((ptr - buf) != len)
-    {
+    if ((ptr - buf) != len) {
         printf("ERROR: wrong lengths in %s.\n", __func__);
         exit(EXIT_FAILURE);
     }
@@ -1153,16 +1127,21 @@ int write_binary(char *filename)
 int write_binary(char *filename)
 {
     struct acm_policy_buffer header;
-    unsigned char *ste_buffer = NULL, *chwall_buffer = NULL;
+    unsigned char *ste_buffer = NULL, *chwall_buffer =
+        NULL, *policy_reference_buffer = NULL;
     u_int32_t len;
-    int fd;
-
-    u_int32_t len_ste = 0, len_chwall = 0;      /* length of policy components 
*/
+    int fd, ret = 0;
+
+    u_int32_t len_ste = 0, len_chwall = 0, len_pr = 0;  /* length of policy 
components */
 
     /* open binary file */
-    if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR)) 
<= 0)
-        return -EIO;
-
+    if ((fd =
+         open(filename, O_WRONLY | O_CREAT | O_TRUNC,
+              S_IRUSR | S_IWUSR)) <= 0) {
+        ret = -EIO;
+        goto out1;
+    }
+    policy_reference_buffer = write_policy_reference_binary(&len_pr);
     ste_buffer = write_ste_binary(&len_ste);
     chwall_buffer = write_chwall_binary(&len_chwall);
 
@@ -1175,24 +1154,26 @@ int write_binary(char *filename)
         len += len_chwall;
     if (have_ste)
         len += len_ste;
+    len += len_pr;              /* policy reference is mandatory */
     header.len = htonl(len);
 
-    header.primary_buffer_offset = htonl(sizeof(struct acm_policy_buffer));
-    if (primary == CHWALL)
-    {
+    header.policy_reference_offset =
+        htonl(sizeof(struct acm_policy_buffer));
+
+    header.primary_buffer_offset =
+        htonl(sizeof(struct acm_policy_buffer) + len_pr);
+    if (primary == CHWALL) {
         header.primary_policy_code = htonl(ACM_CHINESE_WALL_POLICY);
         header.secondary_buffer_offset =
-            htonl((sizeof(struct acm_policy_buffer)) + len_chwall);
-    }
-    else if (primary == STE)
-    {
+            htonl((sizeof(struct acm_policy_buffer)) + len_pr +
+                  len_chwall);
+    } else if (primary == STE) {
         header.primary_policy_code =
             htonl(ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY);
         header.secondary_buffer_offset =
-            htonl((sizeof(struct acm_policy_buffer)) + len_ste);
-    }
-    else
-    {
+            htonl((sizeof(struct acm_policy_buffer)) + len_pr +
+                  len_ste);
+    } else {
         /* null policy */
         header.primary_policy_code = htonl(ACM_NULL_POLICY);
         header.secondary_buffer_offset =
@@ -1208,36 +1189,52 @@ int write_binary(char *filename)
         header.secondary_policy_code = htonl(ACM_NULL_POLICY);
 
     if (write(fd, (void *) &header, sizeof(struct acm_policy_buffer))
-        != sizeof(struct acm_policy_buffer))
-        return -EIO;
-
+        != sizeof(struct acm_policy_buffer)) {
+        ret = -EIO;
+        goto out1;
+    }
+
+    /* write label reference name */
+    if (write(fd, policy_reference_buffer, len_pr) != len_pr) {
+        ret = -EIO;
+        goto out1;
+    }
     /* write primary policy component */
-    if (primary == CHWALL)
-    {
-        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
-            return -EIO;
-    }
-    else if (primary == STE)
-    {
-        if (write(fd, ste_buffer, len_ste) != len_ste)
-            return -EIO;
-    } else
-        ;                     /* NULL POLICY has no policy data */
+    if (primary == CHWALL) {
+        if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
+            ret = -EIO;
+            goto out1;
+        }
+    } else if (primary == STE) {
+        if (write(fd, ste_buffer, len_ste) != len_ste) {
+            ret = -EIO;
+            goto out1;
+        }
+    } else;                     /* NULL POLICY has no policy data */
 
     /* write secondary policy component */
-    if (secondary == CHWALL)
-    {
-        if (write(fd, chwall_buffer, len_chwall) != len_chwall)
-            return -EIO;
-    }
-    else if (secondary == STE)
-    {
-        if (write(fd, ste_buffer, len_ste) != len_ste)
-            return -EIO;
+    if (secondary == CHWALL) {
+        if (write(fd, chwall_buffer, len_chwall) != len_chwall) {
+            ret = -EIO;
+            goto out1;
+        }
+    } else if (secondary == STE) {
+        if (write(fd, ste_buffer, len_ste) != len_ste) {
+            ret = -EIO;
+            goto out1;
+        }
     } else;                     /* NULL POLICY has no policy data */
 
+  out1:
+    /* cleanup */
+    if (policy_reference_buffer)
+        free(policy_reference_buffer);
+    if (chwall_buffer)
+        free(chwall_buffer);
+    if (ste_buffer)
+        free(ste_buffer);
     close(fd);
-    return 0;
+    return ret;
 }
 
 int is_valid(xmlDocPtr doc)
@@ -1253,18 +1250,15 @@ int is_valid(xmlDocPtr doc)
 
 #ifdef VALIDATE_SCHEMA
     /* only tested to be available from libxml2-2.6.20 upwards */
-    if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1)
-    {
+    if ((err = xmlSchemaIsValid(schemavalid_ctxt)) != 1) {
         printf("ERROR: Invalid schema file %s (err=%d)\n",
                schema_filename, err);
         err = -EIO;
         goto out;
-    }
-    else
+    } else
         printf("XML Schema %s valid.\n", schema_filename);
 #endif
-    if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc)))
-    {
+    if ((err = xmlSchemaValidateDoc(schemavalid_ctxt, doc))) {
         err = -EIO;
         goto out;
     }
@@ -1277,10 +1271,9 @@ int is_valid(xmlDocPtr doc)
 
 int main(int argc, char **argv)
 {
-    xmlDocPtr labeldoc = NULL;
     xmlDocPtr policydoc = NULL;
 
-    int err = EXIT_SUCCESS;
+    int err = EXIT_FAILURE;
 
     char *file_prefix;
     int prefix_len;
@@ -1288,16 +1281,18 @@ int main(int argc, char **argv)
     int opt_char;
     char *policy_dir = POLICY_DIR;
 
-    if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION)
-    {
-        printf("ERROR: This program was written against an older ACM 
version.\n");
+    if (ACM_POLICY_VERSION != WRITTEN_AGAINST_ACM_POLICY_VERSION) {
+        printf
+            ("ERROR: This program was written against an older ACM 
version.\n");
+        printf("ERROR: ACM_POLICY_VERSION=%d, WRITTEN AGAINST= %d.\n",
+               ACM_POLICY_VERSION, WRITTEN_AGAINST_ACM_POLICY_VERSION);
         exit(EXIT_FAILURE);
     }
 
     while ((opt_char = getopt(argc, argv, "d:")) != -1) {
         switch (opt_char) {
         case 'd':
-            policy_dir = malloc(strlen(optarg) + 2); // null terminator and 
possibly "/"
+            policy_dir = malloc(strlen(optarg) + 2);    /* null terminator and 
possibly "/" */
             if (!policy_dir) {
                 printf("ERROR allocating directory name memory.\n");
                 exit(EXIT_FAILURE);
@@ -1315,20 +1310,21 @@ int main(int argc, char **argv)
     if ((argc - optind) != 1)
         usage(basename(argv[0]));
 
-    prefix_len = strlen(policy_dir) +
-        strlen(argv[optind]) + 1 /* "/" */  +
-        strlen(argv[optind]) + 1 /* null terminator */ ;
+    printf("arg=%s\n", argv[optind]);
+
+    prefix_len =
+        strlen(policy_dir) + strlen(argv[optind]) +
+        1 /* null terminator */ ;
 
     file_prefix = malloc(prefix_len);
     policy_filename = malloc(prefix_len + strlen(POLICY_EXTENSION));
-    label_filename = malloc(prefix_len + strlen(LABEL_EXTENSION));
     binary_filename = malloc(prefix_len + strlen(BINARY_EXTENSION));
     mapping_filename = malloc(prefix_len + strlen(MAPPING_EXTENSION));
-    schema_filename = malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
-
-    if (!file_prefix || !policy_filename || !label_filename ||
-        !binary_filename || !mapping_filename || !schema_filename)
-    {
+    schema_filename =
+        malloc(strlen(policy_dir) + strlen(SCHEMA_FILENAME) + 1);
+
+    if (!file_prefix || !policy_filename ||
+        !binary_filename || !mapping_filename || !schema_filename) {
         printf("ERROR allocating file name memory.\n");
         goto out2;
     }
@@ -1336,85 +1332,56 @@ int main(int argc, char **argv)
     /* create input/output filenames out of prefix */
     strcpy(file_prefix, policy_dir);
     strcat(file_prefix, argv[optind]);
-    strcat(file_prefix, "/");
-    strcat(file_prefix, argv[optind]);
 
     strcpy(policy_filename, file_prefix);
-    strcpy(label_filename, file_prefix);
     strcpy(binary_filename, file_prefix);
     strcpy(mapping_filename, file_prefix);
 
     strcat(policy_filename, POLICY_EXTENSION);
-    strcat(label_filename, LABEL_EXTENSION);
     strcat(binary_filename, BINARY_EXTENSION);
     strcat(mapping_filename, MAPPING_EXTENSION);
 
     strcpy(schema_filename, policy_dir);
     strcat(schema_filename, SCHEMA_FILENAME);
 
-    labeldoc = xmlParseFile(label_filename);
-
-    if (labeldoc == NULL)
-    {
+    policydoc = xmlParseFile(policy_filename);
+
+    if (policydoc == NULL) {
         printf("Error: could not parse file %s.\n", argv[optind]);
-        goto out2;
-    }
-
-    printf("Validating label file %s...\n", label_filename);
-    if (!is_valid(labeldoc))
-    {
-        printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
-               label_filename, err);
-        goto out1;
-    }
-
-    policydoc = xmlParseFile(policy_filename);
-
-    if (policydoc == NULL)
-    {
-        printf("Error: could not parse file %s.\n", argv[optind]);
-        goto out1;
+        goto out;
     }
 
     printf("Validating policy file %s...\n", policy_filename);
 
-    if (!is_valid(policydoc))
-    {
+    if (!is_valid(policydoc)) {
         printf("ERROR: Failed schema-validation for file %s (err=%d)\n",
                policy_filename, err);
         goto out;
     }
 
-    /* Init queues and parse policy */
-    create_type_mapping(policydoc);
-
-    /* create ssids */
-    create_ssid_mapping(labeldoc);
+    /* create mappings */
+    create_mappings(policydoc);
 
     /* write label mapping file */
-    if (write_mapping(mapping_filename))
-    {
+    if (write_mapping(mapping_filename)) {
         printf("ERROR: writing mapping file %s.\n", mapping_filename);
         goto out;
     }
 
     /* write binary file */
-    if (write_binary(binary_filename))
-    {
+    if (write_binary(binary_filename)) {
         printf("ERROR: writing binary file %s.\n", binary_filename);
         goto out;
     }
-
+    err = EXIT_SUCCESS;
     /* write stats */
-    if (have_chwall)
-    {
+    if (have_chwall) {
         printf("Max chwall labels:  %u\n", max_chwall_labels);
         printf("Max chwall-types:   %u\n", max_chwall_types);
         printf("Max chwall-ssids:   %u\n", max_chwall_ssids);
     }
 
-    if (have_ste)
-    {
+    if (have_ste) {
         printf("Max ste labels:     %u\n", max_ste_labels);
         printf("Max ste-types:      %u\n", max_ste_types);
         printf("Max ste-ssids:      %u\n", max_ste_ssids);
@@ -1422,10 +1389,17 @@ int main(int argc, char **argv)
     /* cleanup */
   out:
     xmlFreeDoc(policydoc);
-  out1:
-    xmlFreeDoc(labeldoc);
   out2:
     xmlCleanupParser();
     return err;
 }
 
+/*
+ * Local variables:
+ * mode: C
+ * c-set-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
diff -r 0a5183b3e7bb -r ad30019015a2 tools/security/secpol_xml2bin.h
--- a/tools/security/secpol_xml2bin.h   Mon Apr 24 10:51:20 2006 +0100
+++ b/tools/security/secpol_xml2bin.h   Mon Apr 24 10:51:50 2006 +0100
@@ -12,37 +12,41 @@
  * License.
  *
  */
-#define POLICY_DIR          "/etc/xen/acm-security/policies/"
-#define POLICY_EXTENSION    "-security_policy.xml"
-#define LABEL_EXTENSION     "-security_label_template.xml"
-#define BINARY_EXTENSION    ".bin"
-#define MAPPING_EXTENSION   ".map"
-#define PRIMARY_COMPONENT_ATTR_NAME "order"
-#define BOOTSTRAP_LABEL_ATTR_NAME   "bootstrap"
-#define PRIMARY_COMPONENT   "PrimaryPolicyComponent"
-#define SCHEMA_FILENAME     "security_policy.xsd"
+#define POLICY_DIR                             
"/etc/xen/acm-security/policies/"
+#define POLICY_EXTENSION                       "-security_policy.xml"
+#define BINARY_EXTENSION                       ".bin"
+#define MAPPING_EXTENSION                      ".map"
+#define PRIMARY_COMPONENT_ATTR_NAME    "order"
+#define BOOTSTRAP_LABEL_ATTR_NAME      "bootstrap"
+#define PRIMARY_COMPONENT                      "PrimaryPolicyComponent"
+#define SCHEMA_FILENAME                        "security_policy.xsd"
 
 /* basic states (used as 1 << X) */
-#define XML2BIN_SECPOL             0   /* policy tokens */
-#define XML2BIN_STE                    1
+#define ENDOFLIST_POS           22  /* ADAPT!! this position will be NULL; 
stay below 32 (bit) */
+#define XML2BIN_SECPOL          0   /* policy tokens */
+#define XML2BIN_STE             1
 #define XML2BIN_CHWALL          2
-#define XML2BIN_CONFLICTSETS           3
-#define XML2BIN_CSTYPE         4
+#define XML2BIN_CONFLICTSETS    3
+#define XML2BIN_CSTYPE          4
+#define XML2BIN_POLICYHEADER    5
+#define XML2BIN_NSURL           6
+#define XML2BIN_POLICYNAME      7
+#define XML2BIN_URL             8
+#define XML2BIN_REFERENCE       9
+#define XML2BIN_DATE            10
 
-#define XML2BIN_SECTEMPLATE        5   /* label tokens */
-#define XML2BIN_POLICYHEADER           6
-#define XML2BIN_LABELHEADER     7
-#define XML2BIN_SUBJECTS        8
-#define XML2BIN_OBJECTS            9
-#define XML2BIN_VM                 10
-#define XML2BIN_RES            11
+#define XML2BIN_LABELTEMPLATE   11  /* label tokens */
+#define XML2BIN_SUBJECTS        12
+#define XML2BIN_OBJECTS         13
+#define XML2BIN_VM              14
+#define XML2BIN_RES             15
+#define XML2BIN_NAME            16
 
-#define XML2BIN_STETYPES           12  /* shared tokens */
-#define XML2BIN_CHWALLTYPES        13
-#define XML2BIN_TYPE               14
-#define XML2BIN_NAME            15
-#define XML2BIN_TEXT               16
-#define XML2BIN_COMMENT                17
+#define XML2BIN_STETYPES        17  /* shared tokens */
+#define XML2BIN_CHWALLTYPES     18
+#define XML2BIN_TYPE            19
+#define XML2BIN_TEXT            20
+#define XML2BIN_COMMENT         21
 
 /* type "data type" (currently 16bit) */
 typedef u_int16_t type_t;
@@ -51,27 +55,34 @@ typedef u_int16_t type_t;
  * state constants and token positions must be  *
  * in sync for correct state recognition        */
 
-char *token[20] =                       /* parser triggers */
+char *token[32] =                       /* parser triggers */
 {
-    [0] = "SecurityPolicyDefinition",   /* policy xml */
-    [1] = "SimpleTypeEnforcement",
-    [2] = "ChineseWall",
-    [3] = "ConflictSets",
-    [4] = "Conflict",                   /* label-template xml */
-    [5] = "SecurityLabelTemplate",
-    [6] = "PolicyHeader",
-    [7] = "LabelHeader",
-    [8] = "SubjectLabels",
-    [9] = "ObjectLabels",
-    [10] = "VirtualMachineLabel",
-    [11] = "ResourceLabel",
-    [12] = "SimpleTypeEnforcementTypes",                  /* common tags */
-    [13] = "ChineseWallTypes",
-    [14] = "Type",
-    [15] = "Name",
-    [16] = "text",
-    [17] = "comment",
-    [18] = NULL,
+    [XML2BIN_SECPOL]        = "SecurityPolicyDefinition", /* policy xml */
+    [XML2BIN_STE]           = "SimpleTypeEnforcement",
+    [XML2BIN_CHWALL]        = "ChineseWall",
+    [XML2BIN_CONFLICTSETS]  = "ConflictSets",
+    [XML2BIN_CSTYPE]        = "Conflict",
+    [XML2BIN_POLICYHEADER]  = "PolicyHeader",
+    [XML2BIN_NSURL]         = "NameSpaceUrl",
+    [XML2BIN_POLICYNAME]    = "PolicyName",
+    [XML2BIN_URL]           = "PolicyUrl",
+    [XML2BIN_REFERENCE]     = "Reference",
+    [XML2BIN_DATE]          = "Date",
+
+    [XML2BIN_LABELTEMPLATE] = "SecurityLabelTemplate", /* label-template xml */
+    [XML2BIN_SUBJECTS]      = "SubjectLabels",
+    [XML2BIN_OBJECTS]       = "ObjectLabels",
+    [XML2BIN_VM]            = "VirtualMachineLabel",
+    [XML2BIN_RES]           = "ResourceLabel",
+    [XML2BIN_NAME]          = "Name",
+
+    [XML2BIN_STETYPES]      = "SimpleTypeEnforcementTypes", /* common tags */
+    [XML2BIN_CHWALLTYPES]   = "ChineseWallTypes",
+    [XML2BIN_TYPE]          = "Type",
+       [XML2BIN_TEXT]          = "text",
+    [XML2BIN_COMMENT]       = "comment",
+    [ENDOFLIST_POS]         = NULL  /* End of LIST, adapt ENDOFLIST_POS
+                                       when adding entries */
 };
 
 /* important combined states */
@@ -82,47 +93,53 @@ char *token[20] =                       
 /* e.g., here we are in a <secpol,ste,stetypes> environment,  *
  * so when finding a type element, we know where to put it    */
 #define XML2BIN_stetype_S ((1 << XML2BIN_SECPOL) | \
-                                (1 << XML2BIN_STE) |    \
-                                (1 << XML2BIN_STETYPES))
+                 (1 << XML2BIN_STE) | \
+                 (1 << XML2BIN_STETYPES))
 
 #define XML2BIN_chwalltype_S ((1 << XML2BIN_SECPOL) | \
-                                (1 << XML2BIN_CHWALL) | \
-                                (1 << XML2BIN_CHWALLTYPES))
+                 (1 << XML2BIN_CHWALL) | \
+                 (1 << XML2BIN_CHWALLTYPES))
 
 #define XML2BIN_conflictset_S ((1 << XML2BIN_SECPOL) | \
-                                (1 << XML2BIN_CHWALL) | \
-                                (1 << XML2BIN_CONFLICTSETS))
+                 (1 << XML2BIN_CHWALL) | \
+                 (1 << XML2BIN_CONFLICTSETS))
 
 #define XML2BIN_conflictsettype_S ((1 << XML2BIN_SECPOL) | \
-                                (1 << XML2BIN_CHWALL) | \
-                                (1 << XML2BIN_CONFLICTSETS) | \
-                                (1 << XML2BIN_CSTYPE))
+                 (1 << XML2BIN_CHWALL) | \
+                 (1 << XML2BIN_CONFLICTSETS) | \
+                 (1 << XML2BIN_CSTYPE))
 
+#define XML2BIN_PN_S ((1 << XML2BIN_SECPOL) | \
+                 (1 << XML2BIN_POLICYHEADER))
 
 /* label xml states */
-#define XML2BIN_VM_S ((1 << XML2BIN_SECTEMPLATE) | \
-                      (1 << XML2BIN_SUBJECTS) |    \
-                      (1 << XML2BIN_VM))
+#define XML2BIN_VM_S ((1 << XML2BIN_SECPOL) | \
+                 (1 << XML2BIN_LABELTEMPLATE) |        \
+                 (1 << XML2BIN_SUBJECTS) | \
+                 (1 << XML2BIN_VM))
 
-#define XML2BIN_RES_S ((1 << XML2BIN_SECTEMPLATE) | \
-                       (1 << XML2BIN_OBJECTS) |     \
-                       (1 << XML2BIN_RES))
+#define XML2BIN_RES_S ((1 << XML2BIN_SECPOL) | \
+                 (1 << XML2BIN_LABELTEMPLATE) |        \
+                 (1 << XML2BIN_OBJECTS) | \
+                 (1 << XML2BIN_RES))
 
-#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
-                        (1 << XML2BIN_SUBJECTS) | \
-                        (1 << XML2BIN_VM) | \
-                        (1 << XML2BIN_STETYPES))
+#define XML2BIN_VM_STE_S ((1 << XML2BIN_SECPOL) | \
+                 (1 << XML2BIN_LABELTEMPLATE) |        \
+                 (1 << XML2BIN_SUBJECTS) | \
+                 (1 << XML2BIN_VM) | \
+                 (1 << XML2BIN_STETYPES))
 
-#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECTEMPLATE) | \
-                           (1 << XML2BIN_SUBJECTS) | \
-                           (1 << XML2BIN_VM) | \
-                           (1 << XML2BIN_CHWALLTYPES))
+#define XML2BIN_VM_CHWALL_S ((1 << XML2BIN_SECPOL) | \
+                 (1 << XML2BIN_LABELTEMPLATE) | \
+                 (1 << XML2BIN_SUBJECTS) | \
+                 (1 << XML2BIN_VM) | \
+                 (1 << XML2BIN_CHWALLTYPES))
 
-#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECTEMPLATE) | \
-                         (1 << XML2BIN_OBJECTS) | \
-                         (1 << XML2BIN_RES) | \
-                         (1 << XML2BIN_STETYPES))
-
+#define XML2BIN_RES_STE_S ((1 << XML2BIN_SECPOL) | \
+                 (1 << XML2BIN_LABELTEMPLATE) | \
+                 (1 << XML2BIN_OBJECTS) | \
+                 (1 << XML2BIN_RES) | \
+                 (1 << XML2BIN_STETYPES))
 
 
 /* check versions of headers against which the
@@ -130,7 +147,7 @@ char *token[20] =                       
  */
 
 /* protects from unnoticed changes in struct acm_policy_buffer */
-#define WRITTEN_AGAINST_ACM_POLICY_VERSION  1
+#define WRITTEN_AGAINST_ACM_POLICY_VERSION  2
 
 /* protects from unnoticed changes in struct acm_chwall_policy_buffer */
 #define WRITTEN_AGAINST_ACM_CHWALL_VERSION  1

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.