---
 xen-unstable.hg/tools/examples/xend-config.sxp       |    3 +-
 xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py |   22 +++++++++++++++++++
 xen-unstable.hg/tools/python/xen/xend/XendOptions.py |   10 ++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

Index: root/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py
+++ root/xen-unstable.hg/tools/python/xen/util/xsm/acm/acm.py
@@ -27,6 +27,7 @@ import stat
 from xen.lowlevel import acm
 from xen.xend import sxp
 from xen.xend import XendConstants
+from xen.xend import XendOptions
 from xen.xend.XendLogging import log
 from xen.xend.XendError import VmError
 from xen.util import dictio, xsconstants
@@ -1081,9 +1082,14 @@ def set_resource_label(resource, policyt
         if reslabel != "":
             new_entry = { resource : tuple([policytype, policyref, reslabel])}
             access_control.update(new_entry)
+            command = "add"
+            reslbl = ":".join([policytype, policyref, reslabel])
         else:
             if access_control.has_key(resource):
                 del access_control[resource]
+            command = "remove"
+            reslbl = ""
+        run_resource_label_change_script(resource, reslbl, command)
         dictio.dict_write(access_control, "resources", res_label_filename)
     finally:
         resfile_unlock()
@@ -1273,6 +1279,7 @@ def change_acm_policy(bin_pol, del_array
                 label = reslabel_map[label]
             elif label not in polnew_reslabels:
                 policytype = xsconstants.INVALID_POLICY_PREFIX + policytype
+                run_resource_label_change_script(key, "", "remove")
             # Update entry
             access_control[key] = \
                    tuple([ policytype, new_policyname, label ])
@@ -1383,3 +1390,18 @@ def get_security_label(self, xspol=None)
     if domid != 0:
         label = self.info.get('security_label', label)
     return label
+
+def run_resource_label_change_script(resource, label, command):
+    script = XendOptions.instance().get_resource_label_change_script()
+    if script:
+        parms = {
+            'resource' : resource,
+            'label'    : label,
+            'command'  : command,
+        }
+        log.info("Running resource label change script %s: %s" %
+                 (script, parms))
+        parms.update(os.environ)
+        os.spawnve(os.P_NOWAIT, script[0], script, parms)
+    else:
+        log.info("No script given for relabeling of resources.")
Index: root/xen-unstable.hg/tools/python/xen/xend/XendOptions.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xend/XendOptions.py
+++ root/xen-unstable.hg/tools/python/xen/xend/XendOptions.py
@@ -278,6 +278,16 @@ class XendOptions:
     def get_keymap(self):
         return self.get_config_value('keymap', None)
 
+    def get_resource_label_change_script(self):
+        s = self.get_config_value('resource-label-change-script')
+        if s:
+            result = s.split(" ")
+            result[0] = os.path.join(osdep.scripts_dir, result[0])
+            return result
+        else:
+            return None
+
+
 class XendOptionsFile(XendOptions):
 
     """Default path to the config file."""
Index: root/xen-unstable.hg/tools/examples/xend-config.sxp
===================================================================
--- root.orig/xen-unstable.hg/tools/examples/xend-config.sxp
+++ root/xen-unstable.hg/tools/examples/xend-config.sxp
@@ -196,4 +196,5 @@
 # when not specififed in VM's configuration
 #(keymap 'en-us')
 
-
+# Script to run when the label of a resource has changed.
+#(resource-label-change-script '')