---
 xen-unstable.hg/tools/python/xen/util/acmpolicy.py         |    3 ++-
 xen-unstable.hg/tools/python/xen/util/security.py          |    7 ++++---
 xen-unstable.hg/tools/python/xen/xend/XendVDI.py           |    1 +
 xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py |    5 ++++-
 xen-unstable.hg/tools/python/xen/xm/cfgbootpolicy.py       |    5 +++--
 5 files changed, 14 insertions(+), 7 deletions(-)

Index: root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py
+++ root/xen-unstable.hg/tools/python/xen/xend/XendXSPolicyAdmin.py
@@ -56,7 +56,10 @@ class XSPolicyAdmin:
             typ = data[1]
             try:
                 if typ == xsconstants.ACM_POLICY_ID:
-                    self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
+                    try:
+                        self.xsobjs[ref] = ACMPolicy(name=name, ref=ref)
+                    except Exception, e:
+                        del self.policies[ref]
                 else:
                     del self.policies[ref]
             except Exception, e:
@@ -271,6 +278,10 @@ class XSPolicyAdmin:
                 return pol
         return None
 
+    def get_hv_loaded_policy_name(self):
+        security.refresh_security_policy()
+        return security.active_policy
+
     def get_policy_by_name(self, name):
         for pol in self.xsobjs.values():
             if pol.get_name() == name:
Index: root/xen-unstable.hg/tools/python/xen/util/acmpolicy.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/util/acmpolicy.py
+++ root/xen-unstable.hg/tools/python/xen/util/acmpolicy.py
@@ -122,7 +122,8 @@ class ACMPolicy(XSPolicy):
             rc = -xsconstants.XSERR_GENERAL_FAILURE
         if rc != xsconstants.XSERR_SUCCESS:
             log.warn("XML did not validate against schema")
-        rc = self.__validate_name_and_labels()
+        if rc == xsconstants.XSERR_SUCCESS:
+            rc = self.__validate_name_and_labels()
         return rc
 
     def __validate_name_and_labels(self):
@@ -626,14 +627,15 @@ class ACMPolicy(XSPolicy):
     def policy_get_stes_of_vmlabel(self, vmlabel):
         """ Get a list of all STEs of a given VMlabel """
         return self.__policy_get_stes_of_labeltype(vmlabel,
-                                                   "VirtualMachineLabel")
+                                        "/SubjectLabels", "VirtualMachineLabel")
 
     def policy_get_stes_of_resource(self, reslabel):
         """ Get a list of all resources of a given VMlabel """
-        return self.__policy_get_stes_of_labeltype(reslabel, "ResourceLabel")
+        return self.__policy_get_stes_of_labeltype(reslabel,
+                                        "/ObjectLabels", "ResourceLabel")
 
-    def __policy_get_stes_of_labeltype(self, label, labeltype):
-        node = self.dom_get_node("SecurityLabelTemplate/SubjectLabels")
+    def __policy_get_stes_of_labeltype(self, label, path, labeltype):
+        node = self.dom_get_node("SecurityLabelTemplate" + path)
         if node:
             i = 0
             while i < len(node.childNodes):
@@ -661,7 +663,8 @@ class ACMPolicy(XSPolicy):
             return False
         for res in resources:
             res_stes = self.policy_get_stes_of_resource(res)
-            if len( set(res_stes).union( set(vm_stes) ) ) == 0:
+            if len(res_stes) == 0 or \
+               len( set(res_stes).intersection( set(vm_stes) ) ) == 0:
                 return False
         return True
 
Index: root/xen-unstable.hg/tools/python/xen/xend/XendVDI.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xend/XendVDI.py
+++ root/xen-unstable.hg/tools/python/xen/xend/XendVDI.py
@@ -24,6 +24,7 @@ import os
 from xen.util.xmlrpclib2 import stringify
 from xmlrpclib import dumps, loads
 from xen.util import security, xsconstants
+from xen.xend.XendError import SecurityError
 
 KB = 1024
 MB = 1024 * 1024
Index: root/xen-unstable.hg/tools/python/xen/util/security.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/util/security.py
+++ root/xen-unstable.hg/tools/python/xen/util/security.py
@@ -799,9 +799,10 @@ def is_resource_in_use(resource):
             lst.append(dominfo)
     return lst
 
-def devices_equal(res1, res2):
+def devices_equal(res1, res2, mustexist=True):
     """ Determine whether two devices are equal """
-    return (unify_resname(res1) == unify_resname(res2))
+    return (unify_resname(res1, mustexist) ==
+            unify_resname(res2, mustexist))
 
 def is_resource_in_use_by_dom(dominfo, resource):
     """ Determine whether a resources is in use by a given domain
@@ -817,7 +818,7 @@ def is_resource_in_use_by_dom(dominfo, r
         dev = devs[uuid]
         if len(dev) >= 2 and dev[1].has_key('uname'):
             # dev[0] is type, i.e. 'vbd'
-            if devices_equal(dev[1]['uname'], resource):
+            if devices_equal(dev[1]['uname'], resource, mustexist=False):
                 log.info("RESOURCE IN USE: Domain %d uses %s." %
                          (dominfo.domid, resource))
                 return True
Index: root/xen-unstable.hg/tools/python/xen/xm/cfgbootpolicy.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xm/cfgbootpolicy.py
+++ root/xen-unstable.hg/tools/python/xen/xm/cfgbootpolicy.py
@@ -170,8 +170,9 @@ def cfgbootpolicy_xapi(policy, user_titl
             OptionError("No policy installed on system?")
         acmpol = ACMPolicy(xml=xml)
         if acmpol.get_name() != policy:
-            OptionError("Policy installed on system '%s' does not match the "
-                        "request policy '%s'" % (acmpol.get_name(), policy))
+            raise OptionError("Policy installed on system '%s' does not "
+                              "match the requested policy '%s'" %
+                              (acmpol.get_name(), policy))
         flags = int(policystate['flags']) | xsconstants.XS_INST_BOOT
         rc = int(server.xenapi.XSPolicy.activate_xspolicy(xs_ref, flags))
         if rc == flags:
Index: root/xen-unstable.hg/tools/python/xen/xend/XendAPI.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xend/XendAPI.py
+++ root/xen-unstable.hg/tools/python/xen/xend/XendAPI.py
@@ -1620,7 +1620,8 @@ class XendAPI(object):
         (rc, errors, oldlabel, new_ssidref) = \
                                  dom.set_security_label(sec_label, old_label)
         if rc != xsconstants.XSERR_SUCCESS:
-            return xen_api_error(['SECURITY_ERROR', rc])
+            return xen_api_error(['SECURITY_ERROR', rc,
+                                 xsconstants.xserr2string(-rc)])
         if rc == 0:
             rc = new_ssidref
         return xen_api_success(rc)
@@ -2239,7 +2240,8 @@ class XendAPI(object):
         vdi = XendNode.instance().get_vdi_by_uuid(vdi_ref)
         rc = vdi.set_security_label(sec_lab, old_lab)
         if rc < 0:
-            return xen_api_error(['SECURITY_ERROR', rc])
+            return xen_api_error(['SECURITY_ERROR', rc,
+                                 xsconstants.xserr2string(-rc)])
         return xen_api_success(rc)
 
     def VDI_get_security_label(self, session, vdi_ref):