[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [Xm-Test] Additional tests for the xm-test suite



# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Date 1184749717 -3600
# Node ID 7ef821ff6d89d43afcbaf7e60e42e9a14306bbc0
# Parent  4197a1aad70bc567278a80a2225c87950d910095
[Xm-Test] Additional tests for the xm-test suite

This adds a couple of test cases exercising the new policy management
functionality to the security tests.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxx>
---
 tools/xm-test/lib/XmTestLib/XenAPIDomain.py                      |    4 
 tools/xm-test/lib/XmTestLib/acm.py                               |   52 +
 tools/xm-test/tests/security-acm/01_security-acm_basic.py        |   24 
 tools/xm-test/tests/security-acm/07_security-acm_pol_update.py   |  303 +++++++
 tools/xm-test/tests/security-acm/08_security-acm_xapi.py         |  354 
++++++++
 tools/xm-test/tests/security-acm/09_security-acm_pol_update.py   |  427 
++++++++++
 tools/xm-test/tests/security-acm/Makefile.am                     |    5 
 tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml |   97 ++
 8 files changed, 1247 insertions(+), 19 deletions(-)

diff -r 4197a1aad70b -r 7ef821ff6d89 tools/xm-test/lib/XmTestLib/XenAPIDomain.py
--- a/tools/xm-test/lib/XmTestLib/XenAPIDomain.py       Wed Jul 18 10:04:46 
2007 +0100
+++ b/tools/xm-test/lib/XmTestLib/XenAPIDomain.py       Wed Jul 18 10:08:37 
2007 +0100
@@ -23,6 +23,7 @@ import sys
 import sys
 from XmTestLib import *
 from types import DictType
+from acm import *
 
 
 class XenAPIConfig:
@@ -38,6 +39,9 @@ class XenAPIConfig:
                            'kernel' : 'PV_kernel',
                            'ramdisk': 'PV_ramdisk',
                            'root'   : 'PV_args'}
+        if isACMEnabled():
+            #A default so every VM can start with ACM enabled
+            self.opts["security_label"] = "ACM:xm-test:red"
 
     def setOpt(self, name, value):
         """Set an option in the config"""
diff -r 4197a1aad70b -r 7ef821ff6d89 tools/xm-test/lib/XmTestLib/acm.py
--- a/tools/xm-test/lib/XmTestLib/acm.py        Wed Jul 18 10:04:46 2007 +0100
+++ b/tools/xm-test/lib/XmTestLib/acm.py        Wed Jul 18 10:08:37 2007 +0100
@@ -19,6 +19,9 @@
 """
 from Test import *
 from xen.util import security
+from xen.xm.main import server
+from xen.util import xsconstants
+import re
 
 try:
     from acm_config import *
@@ -32,16 +35,47 @@ def isACMEnabled():
     return security.on()
 
 
+def getSystemPolicyName():
+    s,o = traceCommand("xm getpolicy")
+    m = re.compile("Policy name[\s]*: ([A-z\-]+)").search(o)
+    if m:
+        polname = m.group(1)
+        return polname
+    return ""
+
+
+def ACMLoadPolicy_XenAPI(policy='xm-test'):
+    polname = getSystemPolicyName()
+    if polname != policy:
+        # Try it, maybe it's not activated
+        traceCommand("xm setpolicy %s %s" %
+                     (xsconstants.XS_POLICY_ACM, policy))
+        polname = getSystemPolicyName()
+        if polname != policy:
+            FAIL("Need to have a system with no or policy '%s' active, "
+                 "not %s" % (policy,polname))
+        else:
+            s, o = traceCommand("xm activatepolicy --load")
+    else:
+        s, o = traceCommand("xm activatepolicy --load")
+        if not re.search("Successfully", o):
+            FAIL("Could not set the policy '%s'." % policy)
+
+
 def ACMLoadPolicy(policy='xm-test'):
-    s, o = traceCommand("xm makepolicy %s" % (policy))
-    if s != 0:
-        FAIL("Need to be able to do 'xm makepolicy %s' but could not" %
-             (policy))
-    s, o = traceCommand("xm loadpolicy %s" % (policy))
-    if s != 0:
-        FAIL("Could not load the required policy '%s'.\n"
-             "Start the system without any policy.\n%s" %
-             (policy, o))
+    from xen.xm import main
+    if main.serverType == main.SERVER_XEN_API:
+        ACMLoadPolicy_XenAPI()
+    else:
+        s, o = traceCommand("xm makepolicy %s" % (policy))
+        if s != 0:
+            FAIL("Need to be able to do 'xm makepolicy %s' but could not" %
+                 (policy))
+        s, o = traceCommand("xm loadpolicy %s" % (policy))
+        if s != 0:
+            FAIL("Could not load the required policy '%s'.\n"
+                 "Start the system without any policy.\n%s" %
+                 (policy, o))
 
 def ACMPrepareSystem(resources):
     if isACMEnabled():
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/01_security-acm_basic.py
--- a/tools/xm-test/tests/security-acm/01_security-acm_basic.py Wed Jul 18 
10:04:46 2007 +0100
+++ b/tools/xm-test/tests/security-acm/01_security-acm_basic.py Wed Jul 18 
10:08:37 2007 +0100
@@ -15,6 +15,7 @@
 
 from XmTestLib import *
 from xen.util import security
+from xen.util import xsconstants
 import commands
 import os
 import re
@@ -28,7 +29,7 @@ if not isACMEnabled():
     SKIP("Not running this test since ACM not enabled.")
 
 status, output = traceCommand("xm makepolicy %s" % (testpolicy))
-if status != 0 or output != "":
+if status != 0:
     FAIL("'xm makepolicy' failed with status %d and output\n%s" %
          (status,output));
 
@@ -47,7 +48,7 @@ status, output = traceCommand("xm addlab
 status, output = traceCommand("xm addlabel %s dom %s %s" %
                               (testlabel, vmconfigfile, testpolicy))
 if status != 0:
-    FAIL("'xm addlabel' failed with status %d.\n" % status)
+    FAIL("(1) 'xm addlabel' failed with status %d.\n" % status)
 
 status, output = traceCommand("xm getlabel dom %s" %
                               (vmconfigfile))
@@ -55,8 +56,9 @@ if status != 0:
 if status != 0:
     FAIL("'xm getlabel' failed with status %d, output:\n%s" %
          (status, output))
-if output != "policy=%s,label=%s" % (testpolicy,testlabel):
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+if output != "policytype=%s,policy=%s,label=%s" % \
+             (xsconstants.ACM_POLICY_ID, testpolicy, testlabel):
+    FAIL("(1) Received unexpected output from 'xm getlabel dom': \n%s" %
          (output))
 
 
@@ -74,30 +76,34 @@ status, output = traceCommand("xm getlab
                               (vmconfigfile))
 
 if output != "Error: 'Domain not labeled'":
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+    FAIL("(2) Received unexpected output from 'xm getlabel dom': \n%s" %
          (output))
 
 #Whatever label the resource might have, remove it
 status, output = traceCommand("xm rmlabel res %s" %
                               (testresource))
+if status != 0:
+    FAIL("'xm rmlabel' on resource failed with status %d.\n" % status)
 
 status, output = traceCommand("xm addlabel %s res %s %s" %
                               (testlabel, testresource, testpolicy))
 if status != 0:
-    FAIL("'xm addlabel' on resource failed with status %d.\n" % status)
+    FAIL("(2) 'xm addlabel' on resource failed with status %d.\n" % status)
 
 status, output = traceCommand("xm getlabel res %s" % (testresource))
 
 if status != 0:
     FAIL("'xm getlabel' on resource failed with status %d, output:\n%s" %
          (status, output))
-if output != "policy=%s,label=%s" % (testpolicy,testlabel):
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+if output != "%s:%s:%s" % (xsconstants.ACM_POLICY_ID,\
+                           testpolicy,testlabel):
+    FAIL("Received unexpected output from 'xm getlabel res': \n%s" %
          (output))
 
 status, output = traceCommand("xm resources")
 
 if status != 0:
+    print "status = %s" % str(status)
     FAIL("'xm resources' did not run properly")
 if not re.search(security.unify_resname(testresource), output):
     FAIL("'xm resources' did not show the tested resource '%s'." %
@@ -117,5 +123,5 @@ status, output = traceCommand("xm getlab
                               (testresource))
 
 if output != "Error: 'Resource not labeled'":
-    FAIL("Received unexpected output from 'xm getlabel': \n%s" %
+    FAIL("Received unexpected output from 'xm getlabel res': \n%s" %
          (output))
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/07_security-acm_pol_update.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py    Wed Jul 
18 10:08:37 2007 +0100
@@ -0,0 +1,303 @@
+#!/usr/bin/python
+
+# Copyright (C) International Business Machines Corp., 2006
+# Author: Stefan Berger <stefanb@xxxxxxxxxx>
+
+# Test to exercise the xspolicy class
+
+from XmTestLib import xapi
+from XmTestLib.XenAPIDomain import XmTestAPIDomain
+from XmTestLib import *
+from xen.xend import XendAPIConstants
+from xen.util import acmpolicy, security, xsconstants
+from xen.util.acmpolicy import ACMPolicy
+from xen.xend.XendDomain import DOM0_UUID
+
+import commands
+import os
+import base64
+
+xm_test = {}
+xm_test['policyname'] = "xm-test"
+xm_test['date'] = "Fri Sep 29 14:44:38 2006"
+xm_test['url']  = None
+
+vm_label_red   = "%s:xm-test:red" % xsconstants.ACM_POLICY_ID
+vm_label_green = "%s:xm-test:green" % xsconstants.ACM_POLICY_ID
+vm_label_blue  = "%s:xm-test:blue" % xsconstants.ACM_POLICY_ID
+vm_label_sys   = "%s:xm-test:SystemManagement" % xsconstants.ACM_POLICY_ID
+
+vm_label_black = "%s:xm-test:black"
+
+session = xapi.connect()
+
+oldlabel = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys,
+                                               oldlabel)
+if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
+    FAIL("(0) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_sys, int(ssidref)))
+print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
+
+
+xstype = session.xenapi.XSPolicy.get_xstype()
+if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
+    SKIP("ACM not enabled/compiled in Xen")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+if not policystate.has_key('xs_ref'):
+    FAIL("get_xspolicy must return member 'xs_ref'")
+
+xs_ref = policystate['xs_ref']
+if xs_ref != "":
+    origpolicyxml = session.xenapi.ACMPolicy.get_xml(xs_ref)
+else:
+    origpolicyxml = ""
+
+f = open("xm-test-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test' policy")
+
+try:
+    os.unlink("/boot/xm-test.bin")
+except:
+    pass
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+if int(policystate['type']) == 0:
+    policystate = session.xenapi.XSPolicy.set_xspolicy(
+                          xsconstants.XS_POLICY_ACM,
+                          newpolicyxml,
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
+                          1)
+    if int(policystate['flags']) == -1:
+        FAIL("Could not set the new policy.")
+
+print "state of policy = %s " % policystate
+
+rc = session.xenapi.XSPolicy.activate_xspolicy(
+                          policystate['xs_ref'],
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT)
+if int(rc) != xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT:
+    FAIL("Could not activate the current policy: rc = %08x" % int(rc))
+
+if not os.path.exists("/boot/xm-test.bin"):
+    FAIL("Binary policy was not installed. Check grub config file.")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+if int(policystate['flags']) != xsconstants.XS_INST_BOOT | \
+                                xsconstants.XS_INST_LOAD:
+    FAIL("Flags (%x) are not indicating the correct state of the policy.",
+         int(policystate['flags']))
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+xs_ref = policystate['xs_ref']
+
+newpolicyxml = None
+f = open("xm-test-new-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test-new' policy")
+
+cur_acmpol = ACMPolicy(xml = policystate['repr'])
+new_acmpol = ACMPolicy(xml = newpolicyxml)
+
+new_acmpol.update_frompolicy(cur_acmpol)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                          new_acmpol.toxml(),
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
+                          1)
+
+f = open("xm-test-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test-new' policy")
+
+cur_acmpol = new_acmpol
+new_acmpol = ACMPolicy(xml = newpolicyxml)
+
+new_acmpol.update_frompolicy(cur_acmpol)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                          new_acmpol.toxml(),
+                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
+                          1)
+
+dom0_lab = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys, dom0_lab)
+if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
+    FAIL("(1) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_sys, int(ssidref)))
+print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
+
+try:
+    ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                                   vm_label_black,
+                                                   vm_label_sys)
+    FAIL("Could set label '%s', although it's not in the policy. "
+         "ssidref=%s" % (vm_label_black, ssidref))
+except:
+    pass
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_red,
+                                               vm_label_sys)
+if int(ssidref) <= 0:
+    FAIL("(2) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_red, int(ssidref)))
+print "ssidref for '%s' is 0x%08x" % (vm_label_red, int(ssidref))
+
+label = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+if label != vm_label_red:
+    FAIL("Dom0 label '%s' not as expected '%s'" % (label, vm_label_red))
+
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys,
+                                               vm_label_red)
+if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
+    FAIL("(3) Domain-0 label for '%s' has unexpected failure: %08x" %
+         (vm_label_sys, int(ssidref)))
+
+label = session.xenapi.VM.get_security_label(DOM0_UUID)
+
+if label != vm_label_sys:
+    FAIL("Dom0 label '%s' not as expected '%s'" % label, dom0_label)
+
+header = session.xenapi.ACMPolicy.get_header(xs_ref)
+
+if header['policyname'] != xm_test['policyname']:
+    FAIL("Name in header is '%s', expected is '%s'." %
+         (header['policyname'],xm_test['policyname']))
+if header['date'] != xm_test['date']:
+    FAIL("Date in header is '%s', expected is '%s'." %
+         (header['date'],xm_test['date']))
+if header.has_key("url") and header['url' ] != xm_test['url' ]:
+    FAIL("URL  in header is '%s', expected is '%s'." %
+         (header['url' ],xm_test['url' ]))
+
+# Create another domain
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_blue })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+
+vm_uuid = domain.get_uuid()
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_blue:
+    FAIL("VM has security label '%s', expected is '%s'" %
+         (res, vm_label_blue))
+
+try:
+    domain.start(noConsole=True)
+except:
+    FAIL("Could not create domain")
+
+
+# Attempt to relabel the running domain
+ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                               vm_label_red,
+                                               vm_label_blue)
+if int(ssidref) <= 0:
+    FAIL("Could not relabel running domain to '%s'." % vm_label_red)
+
+# user domain is 'red', dom0 is current 'SystemManagement'.
+# Try to move domain-0 to 'red' first, then to 'blue'.
+
+# Moving domain-0 to 'red' should work
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_red,
+                                               vm_label_sys)
+if int(ssidref) <= 0:
+    FAIL("Could not label domain-0 '%s'" % vm_label_red)
+
+# Moving the guest domain to 'blue' should not work due to conflict set
+try:
+    ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                                   vm_label_blue,
+                                                   vm_label_red)
+    FAIL("Could label guest domain with '%s', although this is in a conflict "
+         "set. ssidref=%x" % (vm_label_blue,int(ssidref)))
+except:
+    pass
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_red:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_red))
+
+label = session.xenapi.VM.get_security_label(DOM0_UUID)
+if label != vm_label_red:
+    FAIL("Domain-0 has wrong label '%s'; expected '%s'." %
+         (label, vm_label_red))
+
+ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
+                                               vm_label_sys,
+                                               vm_label_red)
+if int(ssidref) < 0:
+    FAIL("Could not set the domain-0 security label to '%s'." %
+         (vm_label_sys))
+
+# pause the domain and relabel it...
+session.xenapi.VM.pause(vm_uuid)
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_red:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_red))
+
+ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                               vm_label_blue,
+                                               vm_label_red)
+print "guest domain new label '%s'; ssidref is 0x%08x" % \
+      (vm_label_blue, int(ssidref))
+if int(ssidref) <= 0:
+    FAIL("Could not label guest domain with '%s'" % (vm_label_blue))
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_blue:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_blue))
+
+session.xenapi.VM.unpause(vm_uuid)
+
+rc = session.xenapi.VM.suspend(vm_uuid)
+
+ssidref = session.xenapi.VM.set_security_label(vm_uuid,
+                                               vm_label_green,
+                                               vm_label_blue)
+print "guest domain new label '%s'; ssidref is 0x%08x" % \
+      (vm_label_green, int(ssidref))
+if int(ssidref) < 0:
+    FAIL("Could not label suspended guest domain with '%s'" % (vm_label_blue))
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_green:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_green))
+
+
+rc = session.xenapi.VM.resume(vm_uuid, False)
+
+label = session.xenapi.VM.get_security_label(vm_uuid)
+if label != vm_label_green:
+    FAIL("User domain has wrong label '%s', expected '%s'." %
+         (label, vm_label_green))
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/08_security-acm_xapi.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/08_security-acm_xapi.py  Wed Jul 18 
10:08:37 2007 +0100
@@ -0,0 +1,354 @@
+#!/usr/bin/python
+
+# Copyright (C) International Business Machines Corp., 2007
+# Author: Stefan Berger <stefanb@xxxxxxxxxx>
+
+# VM creation test with labeled VM and labeled VDI
+
+from XmTestLib import xapi
+from XmTestLib.XenAPIDomain import XmTestAPIDomain
+from XmTestLib import *
+from xen.xend import XendAPIConstants
+from xen.util import acmpolicy, security, xsconstants
+import commands
+import os
+
+vm_label_red    = xsconstants.ACM_POLICY_ID + ":xm-test:red"
+vm_label_green  = xsconstants.ACM_POLICY_ID + ":xm-test:green"
+vdi_label_red   = xsconstants.ACM_POLICY_ID + ":xm-test:red"
+vdi_label_green = xsconstants.ACM_POLICY_ID + ":xm-test:green"
+
+vdi_file = "/dev/ram0"
+vdi_path = "phy:" + vdi_file
+
+#Note:
+# If during the suspend/resume operations 'red' instead of 'green' is
+# used, the Chinese Wall policy goes into effect and disallows the
+# suspended VM from being resumed...
+
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_red })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+vm_uuid = domain.get_uuid()
+
+session = xapi.connect()
+xstype = session.xenapi.XSPolicy.get_xstype()
+if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
+    SKIP("ACM not enabled/compiled in Xen")
+
+f = open("xm-test-security_policy.xml", 'r')
+if f:
+    newpolicyxml = f.read()
+    f.close()
+else:
+    FAIL("Could not read 'xm-test' policy")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+if int(policystate['type']) == 0:
+    policystate = session.xenapi.XSPolicy.set_xspolicy(
+                         xsconstants.XS_POLICY_ACM,
+                         newpolicyxml,
+                         xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD,
+                         True)
+    if int(policystate['flags']) == -1:
+        FAIL("Could not set the new policy.")
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+print "policystate = %s" % policystate
+acm_ref = policystate['xs_ref']
+
+
+#
+# Some tests with labeling of resources
+#
+labels = session.xenapi.XSPolicy.get_labeled_resources()
+print "labeled resources are:\n%s" % labels
+
+oldlabel = session.xenapi.XSPolicy.get_resource_label("phy:/dev/ram0")
+
+rc  = session.xenapi.XSPolicy.set_resource_label("phy:/dev/ram0", "",
+                                                 oldlabel)
+
+rc  = session.xenapi.XSPolicy.set_resource_label("phy:/dev/ram0",
+                                                 vdi_label_green,
+                                                 "")
+
+res = session.xenapi.XSPolicy.get_resource_label("phy:/dev/ram0")
+if res != vdi_label_green:
+    FAIL("(1) get_resource_label returned unexpected result %s, wanted %s" %
+         (res, vdi_label_green))
+
+
+#
+# Some test with labeling of VMs
+#
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+
+if res != vm_label_red:
+    FAIL("VM.get_security_label returned wrong security label '%s'." % res)
+
+res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
+                                                    vm_label_red)
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_green:
+     FAIL("VM does not show expected label '%s' but '%s'." %
+          (vm_label_green, res))
+
+res = session.xenapi.VM.set_security_label(vm_uuid, "", vm_label_green)
+if int(res) != 0:
+    FAIL("Should be able to unlabel the domain while it's halted.")
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != "":
+    FAIL("Unexpected VM security label after removal: %s" % res)
+
+res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_red, res)
+if int(res) != 0:
+    FAIL("Could not label the VM to '%s'" % vm_label_red)
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_red:
+    FAIL("VM has wrong label '%s', expected '%s'." % (res, vm_label_red))
+
+sr_uuid = session.xenapi.SR.get_by_name_label("Local")
+if len(sr_uuid) == 0:
+    FAIL("Could not get a handle on SR 'Local'")
+
+
+vdi_rec = { 'name_label'  : "My disk",
+            'SR'          : sr_uuid[0],
+            'virtual_size': 0,
+            'sector_size' : 512,
+            'parent'      : '',
+            'SR_name'     : 'Local',
+            'type'        : 'system',
+            'shareable'   : False,
+            'read-only'   : False,
+            'other_config': {'location': vdi_path}
+}
+
+vdi_ref = session.xenapi.VDI.create(vdi_rec)
+
+res = session.xenapi.VDI.get_name_label(vdi_ref)
+if res != vdi_rec['name_label']:
+    print "Destroying VDI now"
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("VDI_get_name_label return wrong information")
+
+res = session.xenapi.VDI.get_record(vdi_ref)
+print "vdi_record : %s" % res
+
+oldlabel = session.xenapi.XSPolicy.get_resource_label(vdi_path)
+
+#Remove label from VDI device
+rc  = session.xenapi.XSPolicy.set_resource_label(vdi_path,
+                                                 "",
+                                                 oldlabel)
+
+
+# Attach a VBD to the VM
+
+vbd_rec = { 'VM'      : vm_uuid,
+            'VDI'     : vdi_ref,
+            'device'  : "xvda1",
+            'mode'    : 1,
+            'bootable': 0,
+}
+
+vbd_ref = session.xenapi.VBD.create(vbd_rec)
+
+res = session.xenapi.VBD.get_record(vbd_ref)
+
+try:
+    domain.start(noConsole=True)
+    # Should not get here.
+    print "Destroying VDI now"
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could start VM with a VBD that it is not allowed to access.")
+except:
+    pass
+    print "Could not create domain -- that's good"
+
+
+#
+# Label the VDI now
+#
+
+rc    = session.xenapi.VDI.set_security_label(vdi_ref, vdi_label_red, "")
+if int(rc) != 0:
+    FAIL("Could not set the VDI label to '%s'" % vdi_label_red)
+
+label = session.xenapi.VDI.get_security_label(vdi_ref)
+if label != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Unexpected label '%s' on VDI, wanted '%s'" %
+         (label, vdi_label_red))
+
+rc    = session.xenapi.VDI.set_security_label(vdi_ref, "", label)
+if int(rc) != 0:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Should be able to unlabel VDI.")
+
+rc    = session.xenapi.VDI.set_security_label(vdi_ref, vdi_label_red, "")
+if int(rc) != 0:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Should be able to label VDI with label '%s'" % vid_label_red)
+
+res   = session.xenapi.XSPolicy.get_resource_label(vdi_path)
+if res != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("(2) get_resource_label on %s returned unexpected result %s, wanted 
'%s'" %
+         (vdi_path, res, vdi_label_red))
+
+res = session.xenapi.VDI.get_security_label(vdi_ref)
+if res != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("get_security_label returned unexpected result %s, wanted '%s'" %
+         (res, vdi_label_red))
+
+domain.start(noConsole=True)
+
+console = domain.getConsole()
+
+domName = domain.getName()
+
+try:
+    run = console.runCmd("cat /proc/interrupts")
+except ConsoleError, e:
+    saveLog(console.getHistory())
+    FAIL("Could not access proc-filesystem")
+
+# Try to relabel while VM is running
+try:
+    res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
+                                               vm_label_red)
+except:
+    pass
+
+lab = session.xenapi.VM.get_security_label(vm_uuid)
+if lab == vm_label_green:
+    FAIL("Should not be able to reset the security label while running."
+         "tried to set to %s, got %s, old: %s" %(vm_label_green, lab,
+         vm_label_red))
+
+
+#
+# Suspend the domain and relabel it
+#
+
+try:
+    status, output = traceCommand("xm suspend %s" % domName,
+                                  timeout=30)
+except TimeoutError, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Failure from suspending VM: %s." % str(e))
+
+# Try to relabel while VM is suspended -- this should work
+
+rc  = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
+                                           vm_label_red)
+if int(rc) != 0:
+    FAIL("VM security label could not be set to %s" % vm_label_green)
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_green:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("VM (suspended) has label '%s', expected '%s'." %
+         (res, vm_label_green))
+
+status, output = traceCommand("xm list")
+
+#Try to resume now -- should fail due to denied access to block device
+try:
+    status, output = traceCommand("xm resume %s" % domName,
+                                  timeout=30)
+    if status == 0:
+        session.xenapi.VDI.destroy(vdi_ref)
+        FAIL("Could resume re-labeled VM: %s" % output)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("1. Error resuming the VM: %s." % str(e))
+
+# Relabel VM so it would resume
+res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_red,
+                                           vm_label_green)
+if int(res) != 0:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not relabel VM to have it resume.")
+
+res = session.xenapi.VM.get_security_label(vm_uuid)
+if res != vm_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("VM (suspended) has label '%s', expected '%s'." %
+         (res, vm_label_red))
+
+
+# Relabel the resource so VM should not resume
+try:
+    session.xenapi.XSPolicy.set_resource_label(vdi_path,
+                                               vdi_label_green,
+                                               "")
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not label the VDI to '%s': %x" %
+         (vdi_label_green, int(rc)))
+
+#Try to resume now -- should fail due to denied access to block device
+try:
+    status, output = traceCommand("xm resume %s" % domName,
+                                  timeout=30)
+    if status == 0:
+        session.xenapi.VDI.destroy(vdi_ref)
+        FAIL("Could resume re-labeled VM: %s" % output)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("2. Error resuming the VM: %s." % str(e))
+
+
+status, output = traceCommand("xm list")
+
+# Relabel the resource so VM can resume
+try:
+    session.xenapi.XSPolicy.set_resource_label(vdi_path,
+                                               vdi_label_red,
+                                               vdi_label_green)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not label the resource to '%s'" % vid_label_red)
+
+res = session.xenapi.XSPolicy.get_resource_label(vdi_path)
+if res != vdi_label_red:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("'%s' has label '%s', expected '%s'." %
+         (vdi_path, res, vdi_label_red))
+
+#Try to resume now -- should work
+try:
+    status, output = traceCommand("xm resume %s" % domName,
+                                  timeout=30)
+    if status != 0:
+        session.xenapi.VDI.destroy(vdi_ref)
+        FAIL("Could not resume re-labeled VM: %s" % output)
+except Exception, e:
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("3. Error resuming the VM: %s." % str(e))
+
+
+status, output = traceCommand("xm list")
+
+console = domain.getConsole()
+
+try:
+    run = console.runCmd("cat /proc/interrupts")
+except ConsoleError, e:
+    saveLog(console.getHistory())
+    session.xenapi.VDI.destroy(vdi_ref)
+    FAIL("Could not access proc-filesystem")
+
+domain.stop()
+domain.destroy()
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/09_security-acm_pol_update.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py    Wed Jul 
18 10:08:37 2007 +0100
@@ -0,0 +1,427 @@
+#!/usr/bin/python
+
+# Copyright (C) International Business Machines Corp., 2007
+# Author: Stefan Berger <stefanb@xxxxxxxxxx>
+
+# Test to exercise the xspolicy and acmpolicy classes
+
+from XmTestLib import xapi
+from XmTestLib.XenAPIDomain import XmTestAPIDomain
+from XmTestLib import *
+from xen.xend import XendAPIConstants
+from xen.util import security, xsconstants
+from xen.util.acmpolicy import ACMPolicy
+from xen.xend.XendDomain import DOM0_UUID
+import base64
+import struct
+import time
+
+def typestoxml(types):
+    res = ""
+    for t in types:
+        res += "<Type>" + t + "</Type>\n"
+    return res
+
+def cfstoxml(cfss):
+    res = ""
+    for cfs in cfss:
+        res += "<Conflict name=\"" + cfs['name'] + "\">\n" + \
+               typestoxml(cfs['chws']) + \
+               "</Conflict>\n"
+    return res
+
+def vmlabelstoxml(vmlabels, vmfrommap):
+    res = ""
+    for vmlabel in vmlabels:
+        res += "<VirtualMachineLabel>\n"
+        if vmlabel['name'] in vmfrommap:
+            res += "<Name from=\""+ vmfrommap[vmlabel['name']] +"\">"
+        else:
+            res += "<Name>"
+        res += vmlabel['name'] + "</Name>\n"
+        res += "<SimpleTypeEnforcementTypes>\n" + \
+                  typestoxml(vmlabel['stes']) + \
+               "</SimpleTypeEnforcementTypes>\n"
+        if vmlabel.has_key('chws'):
+            res += "<ChineseWallTypes>\n" + \
+                     typestoxml(vmlabel['chws']) + \
+                   "</ChineseWallTypes>\n"
+        res += "</VirtualMachineLabel>\n"
+    return res
+
+
+def reslabelstoxml(reslabels, resfrommap):
+    res = ""
+    for reslabel in reslabels:
+        res += "<ResourceLabel>\n"
+        if resfrommap.has_key(reslabel['name']):
+            res += "<Name from=\""+ resfrommap[reslabel['name']] +"\">"
+        else:
+            res += "<Name>"
+        res += reslabel['name'] + "</Name>\n"
+        res += "<SimpleTypeEnforcementTypes>\n" + \
+                  typestoxml(reslabel['stes']) + \
+               "</SimpleTypeEnforcementTypes>\n"
+        res += "</ResourceLabel>\n"
+    return res
+
+def create_xml_policy(hdr, stes, chws,
+                      vmlabels, vmfrommap, bootstrap,
+                      reslabels, resfrommap,
+                      cfss):
+    hdr_xml ="<PolicyHeader>\n" + \
+             "  <PolicyName>" + hdr['name'] + "</PolicyName>\n" + \
+             "  <Version>"    + hdr['version'] + "</Version>\n" + \
+             "  <FromPolicy>\n" + \
+             "    <PolicyName>" + hdr['oldname'] + "</PolicyName>\n" + \
+             "    <Version>"    + hdr['oldversion'] + "</Version>\n" + \
+             "  </FromPolicy>\n" + \
+               "</PolicyHeader>\n"
+
+    stes_xml = "<SimpleTypeEnforcement>\n" + \
+               "  <SimpleTypeEnforcementTypes>\n" + \
+                typestoxml(stes) + \
+               "  </SimpleTypeEnforcementTypes>\n" + \
+               "</SimpleTypeEnforcement>\n"
+
+    chws_xml = "<ChineseWall>\n" + \
+               "  <ChineseWallTypes>\n" + \
+               typestoxml(chws) + \
+               "  </ChineseWallTypes>\n" + \
+               "  <ConflictSets>\n" + \
+               cfstoxml(cfss) + \
+               "  </ConflictSets>\n" + \
+               "</ChineseWall>\n"
+
+    subjlabel_xml = "<SubjectLabels bootstrap=\""+ bootstrap +"\">\n" + \
+                     vmlabelstoxml(vmlabels, vmfrommap) + \
+                    "</SubjectLabels>\n"
+    objlabel_xml  = "<ObjectLabels>\n" + \
+                      reslabelstoxml(reslabels, resfrommap) + \
+                    "</ObjectLabels>\n"
+
+    policyxml = "<?xml version=\"1.0\" ?>\n" + \
+                "<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\"; 
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"; 
xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd \">\n" + \
+                hdr_xml + \
+                stes_xml + \
+                chws_xml + \
+                "<SecurityLabelTemplate>\n" + \
+                  subjlabel_xml + \
+                  objlabel_xml + \
+                "</SecurityLabelTemplate>\n" + \
+                "</SecurityPolicyDefinition>\n"
+    return policyxml
+
+
+def update_hdr(hdr):
+    """ Update the version information in the header """
+    hdr['oldversion'] = hdr['version']
+    hdr['oldname']    = hdr['name']
+    vers = hdr['version']
+    tmp = vers.split('.')
+    if len(tmp) == 1:
+        rev = 1
+    else:
+        rev = int(tmp[1]) + 1
+    hdr['version'] = "%s.%s" % (tmp[0],rev)
+    return hdr
+
+session = xapi.connect()
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+if policystate['repr'] != "":
+    print "%s" % policystate['repr']
+    try:
+        acmpol = ACMPolicy(xml=policystate['repr'])
+    except Exception, e:
+        FAIL("Failure from creating ACMPolicy object: %s" % str(e))
+    oldname = acmpol.policy_dom_get_hdr_item("PolicyName")
+    oldvers = acmpol.policy_dom_get_hdr_item("Version")
+    tmp = oldvers.split(".")
+    if len(tmp) == 1:
+        rev = 1
+    else:
+        rev = int(tmp[1]) + 1
+    newvers = "%s.%s" % (tmp[0], str(rev))
+    print "old name/version = %s/%s" % (oldname, oldvers)
+else:
+    oldname = None
+    oldvers = None
+    newvers = "1.0"
+
+# Initialize the header of the policy
+hdr = {}
+hdr['name'] = "xm-test"
+hdr['version'] = newvers
+
+if oldname:
+    hdr['oldname']    = oldname
+    if oldvers and oldvers != "":
+        hdr['oldversion'] = oldvers
+
+stes = [ "SystemManagement", "red", "green", "blue" ]
+
+chws = [ "SystemManagement", "red", "green", "blue" ]
+
+bootstrap = "SystemManagement"
+
+vm_sysmgt = { 'name' : bootstrap,
+              'stes' : stes,
+              'chws' : [ "SystemManagement" ] }
+
+vm_red   = { 'name' : "red" ,
+             'stes' : ["red"] ,
+             'chws' : ["red"] }
+
+vm_green = { 'name' : "green" ,
+             'stes' : ["green"] ,
+             'chws' : ["green"] }
+
+vm_blue  = { 'name' : "blue" ,
+             'stes' : ["blue"] ,
+             'chws' : ["blue"] }
+
+res_red   = { 'name' : "red" ,
+              'stes' : ["red"] }
+
+res_green = { 'name' : "green" ,
+              'stes' : ["green"] }
+
+res_blue  = { 'name' : "blue" ,
+              'stes' : ["blue"] }
+
+cfs_1 = { 'name' : "CFS1",
+          'chws' : [ "red" , "blue" ] }
+
+vmlabels = [ vm_sysmgt, vm_red, vm_green, vm_blue ]
+vmfrommap = {}
+reslabels = [ res_red, res_green, res_blue ]
+resfrommap = {}
+cfss = [ cfs_1 ]
+
+vm_label_red    = xsconstants.ACM_POLICY_ID + ":xm-test:red"
+vm_label_green  = xsconstants.ACM_POLICY_ID + ":xm-test:green"
+vm_label_blue   = xsconstants.ACM_POLICY_ID + ":xm-test:blue"
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+xml_good = xml
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "\n\npolicystate = %s" % policystate
+
+policystate = session.xenapi.XSPolicy.get_xspolicy()
+
+#
+# Create two non-conflicting domains and start them
+#
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain1 = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_red })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+
+vm1_uuid = domain1.get_uuid()
+
+try:
+    domain1.start(noConsole=True)
+except:
+    FAIL("Could not start domain1")
+
+print "Domain 1 started"
+
+try:
+    # XmTestAPIDomain tries to establish a connection to XenD
+    domain2 = XmTestAPIDomain(extraConfig={'security_label': vm_label_green })
+except Exception, e:
+    SKIP("Skipping test. Error: %s" % str(e))
+
+vm2_uuid = domain2.get_uuid()
+
+try:
+    domain2.start(noConsole=True)
+except:
+    FAIL("Could not start domain1")
+
+
+print "Domain 2 started"
+
+# Try a policy that would put the two domains into conflict
+cfs_2 = { 'name' : "CFS1",
+          'chws' : [ "red" , "green" ] }
+cfss = [ cfs_2 ]
+
+hdr = update_hdr(hdr)
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(1) Should not have been able to set this policy.")
+
+if len(policystate['errors']) == 0:
+    FAIL("Hypervisor should have reported errros.")
+
+errors = base64.b64decode(policystate['errors'])
+
+print "Length of errors: %d" % len(errors)
+a,b = struct.unpack("!ii",errors)
+
+print "%08x , %08x" % (a,b)
+
+#
+# Create a faulty policy with 'red' STE missing
+#
+
+cfss = [ cfs_1 ]
+stes = [ "SystemManagement", "green", "blue" ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "Result from setting faulty(!) policy with STE 'red' missing:"
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(2) Should not have been able to set this policy.")
+
+#
+# Create a policy with 'red' VMLabel missing -- should not work since it is
+# in use.
+#
+stes = [ "SystemManagement", "red", "green", "blue" ]
+
+vmlabels = [ vm_sysmgt, vm_green, vm_blue ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+print "Result from setting faulty(!) policy with VMlabel 'red' missing:"
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(3) Should not have been able to set this policy.")
+
+#
+# Create a policy with 'blue' VMLabel missing -- should work since it is NOT
+# in use.
+#
+vmlabels = [ vm_sysmgt, vm_red, vm_green ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "Result from setting (good) policy with VMlabel 'blue' missing:"
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) != 0:
+    FAIL("(4) Should have been able to set this policy: %s" % xml)
+
+#
+# Move the green VMLabel towards blue which should put the running
+# domain with label blue into a conflict set
+#
+vmlabels = [ vm_sysmgt, vm_red, vm_blue ]
+
+vmfrommap = { "blue" : "green" }  #  new : old
+
+hdr = update_hdr(hdr)  #Needed, since last update was successful
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(5) Should not have been able to set this policy.")
+
+#
+# Try to install a policy where a VM label has a faulty VM label name
+#
+vmfrommap = {}
+
+vm_blue_bad = { 'name' : "blue:x" ,   # ':' no allowed
+                'stes' : ["blue"],
+                'chws' : ["blue"] }
+
+vmlabels = [ vm_sysmgt, vm_red, vm_green, vm_blue_bad ]
+
+xml = create_xml_policy(hdr, stes, chws,
+                        vmlabels, vmfrommap, bootstrap,
+                        reslabels, resfrommap,
+                        cfss)
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   xml,
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+print "policystate %s" % policystate
+
+if int(policystate['xserr']) == 0:
+    FAIL("(6) Should not have been able to set this policy.")
+
+#
+# End the test by installing the initial policy again
+#
+
+cur_version = hdr['version']
+(maj, min) = cur_version.split(".")
+cur_version = "%s.%s" % (maj, str(int(min)-1) )
+
+orig_acmpol = ACMPolicy(xml=xml_good)
+orig_acmpol.set_frompolicy_version(cur_version)
+orig_acmpol.set_policy_version(hdr['version'])
+
+policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
+                                                   orig_acmpol.toxml(),
+                                                   xsconstants.XS_INST_LOAD,
+                                                   True)
+
+if int(policystate['xserr']) != 0:
+    FAIL("(END) Should have been able to set this policy.")
+
+domain1.stop()
+domain2.stop()
+domain1.destroy()
+domain2.destroy()
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/Makefile.am
--- a/tools/xm-test/tests/security-acm/Makefile.am      Wed Jul 18 10:04:46 
2007 +0100
+++ b/tools/xm-test/tests/security-acm/Makefile.am      Wed Jul 18 10:08:37 
2007 +0100
@@ -5,7 +5,10 @@ TESTS = 01_security-acm_basic.test \
         03_security-acm_dom_conflict.test \
         04_security-acm_dom_res.test \
         05_security-acm_dom_res_conf.test \
-        06_security-acm_dom_block_attach.test
+        06_security-acm_dom_block_attach.test \
+        07_security-acm_pol_update.test \
+        08_security-acm_xapi.test \
+        09_security-acm_pol_update.test
 
 XFAIL_TESTS =
 
diff -r 4197a1aad70b -r 7ef821ff6d89 
tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml  Wed Jul 
18 10:08:37 2007 +0100
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Auto-generated by ezPolicy        -->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
+    <PolicyHeader>
+        <PolicyName>xm-test</PolicyName>
+        <Date>Fri Sep 29 14:44:38 2006</Date>
+        <Version>1.1</Version>
+        <FromPolicy>
+            <PolicyName>xm-test</PolicyName>
+            <Version>1.0</Version>
+        </FromPolicy>
+    </PolicyHeader>
+
+    <SimpleTypeEnforcement>
+        <SimpleTypeEnforcementTypes>
+            <Type>SystemManagement</Type>
+            <Type>green</Type>
+            <Type>red</Type>
+        </SimpleTypeEnforcementTypes>
+    </SimpleTypeEnforcement>
+
+    <ChineseWall priority="PrimaryPolicyComponent">
+        <ChineseWallTypes>
+            <Type>SystemManagement</Type>
+            <Type>green</Type>
+            <Type>red</Type>
+        </ChineseWallTypes>
+
+        <ConflictSets>
+            <Conflict name="RER">
+                <Type>green</Type>
+                <Type>red</Type>
+            </Conflict>
+       </ConflictSets>
+    </ChineseWall>
+
+    <SecurityLabelTemplate>
+        <SubjectLabels bootstrap="SystemManagement">
+            <VirtualMachineLabel>
+                <Name>SystemManagement</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>SystemManagement</Type>
+                    <Type>green</Type>
+                    <Type>red</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>SystemManagement</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+            <VirtualMachineLabel>
+                <Name>green</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>green</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>green</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+            <VirtualMachineLabel>
+                <Name>red</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>red</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>red</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+        </SubjectLabels>
+
+        <ObjectLabels>
+            <ResourceLabel>
+                <Name>SystemManagement</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>SystemManagement</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+            <ResourceLabel>
+                <Name>green</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>green</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+            <ResourceLabel>
+                <Name>red</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>red</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+        </ObjectLabels>
+    </SecurityLabelTemplate>
+</SecurityPolicyDefinition>

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.