---
 xen-unstable.hg/Config.mk                                                                |    2 
 xen-unstable.hg/docs/src/user.tex                                                        |   53 +-
 xen-unstable.hg/tools/security/Makefile                                                  |   15 
 xen-unstable.hg/tools/security/policies/example/chwall/client_v1-security_policy.xml     |   90 ----
 xen-unstable.hg/tools/security/policies/example/chwall_ste/client_v1-security_policy.xml |  194 ---------
 xen-unstable.hg/tools/security/policies/example/client_v1-security_policy.xml            |  195 ++++++++++
 xen-unstable.hg/tools/security/policies/example/test-security_policy.xml                 |   97 ++++
 xen-unstable.hg/tools/security/python/xensec_gen/cgi-bin/policy.cgi                      |    1 
 xen-unstable.hg/tools/security/xensec_ezpolicy                                           |    5 
 xen-unstable.hg/tools/xm-test/tests/security-acm/xm-test-security_policy.xml             |    1 
 10 files changed, 328 insertions(+), 325 deletions(-)

Index: root/xen-unstable.hg/tools/security/policies/example/chwall/client_v1-security_policy.xml
===================================================================
--- root.orig/xen-unstable.hg/tools/security/policies/example/chwall/client_v1-security_policy.xml
+++ /dev/null
@@ -1,90 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
-<!--             This file defines the security policies, which     -->
-<!--             can be enforced by the Xen Access Control Module.  -->
-<!--             Currently: Chinese Wall and Simple Type Enforcement-->
-<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
-	<PolicyHeader>
-		<PolicyName>example.chwall.client_v1</PolicyName>
-		<PolicyUrl>www.ibm.com/example/chwall/client_v1</PolicyUrl>
-		<Date>2006-03-31</Date>
-	</PolicyHeader>
-	<!--                                             -->
-	<!-- example of a chinese wall type definition   -->
-	<!-- along with its conflict sets                -->
-	<!-- (typse in a confict set are exclusive, i.e. -->
-	<!--  once a Domain with one type of a set is    -->
-	<!--  running, no other Domain with another type -->
-	<!--  of the same conflict set can start.)       -->
-	<ChineseWall priority="PrimaryPolicyComponent">
-		<ChineseWallTypes>
-			<Type>cw_SystemManagement</Type>
-			<Type>cw_Sensitive</Type>
-			<Type>cw_Isolated</Type>
-			<Type>cw_Distrusted</Type>
-		</ChineseWallTypes>
-		<ConflictSets>
-			<Conflict name="Protection1">
-				<Type>cw_Sensitive</Type>
-				<Type>cw_Distrusted</Type>
-			</Conflict>
-		</ConflictSets>
-	</ChineseWall>
-	<SecurityLabelTemplate>
-		<SubjectLabels bootstrap="dom_SystemManagement">
-			<!-- single ste typed domains            -->
-			<!-- ACM enforces that only domains with -->
-			<!-- the same type can share information -->
-			<!--                                     -->
-			<!-- Bootstrap label is assigned to Dom0 -->
-			<VirtualMachineLabel>
-				<Name>dom_HomeBanking</Name>
-				<ChineseWallTypes>
-					<Type>cw_Sensitive</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<Name>dom_Fun</Name>
-				<ChineseWallTypes>
-					<Type>cw_Distrusted</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<!-- donating some cycles to seti@home -->
-				<Name>dom_BoincClient</Name>
-				<ChineseWallTypes>
-					<Type>cw_Isolated</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<!-- Domains with multiple ste types services; such domains   -->
-			<!-- must keep the types inside their domain safely confined. -->
-			<VirtualMachineLabel>
-				<Name>dom_SystemManagement</Name>
-				<ChineseWallTypes>
-					<Type>cw_SystemManagement</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<!-- serves persistent storage to other domains -->
-				<Name>dom_StorageDomain</Name>
-				<ChineseWallTypes>
-					<Type>cw_SystemManagement</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<!-- serves network access to other domains -->
-				<Name>dom_NetworkDomain</Name>
-				<ChineseWallTypes>
-					<Type>cw_SystemManagement</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-		</SubjectLabels>
-	</SecurityLabelTemplate>
-
-</SecurityPolicyDefinition>
-
Index: root/xen-unstable.hg/tools/security/policies/example/chwall_ste/client_v1-security_policy.xml
===================================================================
--- root.orig/xen-unstable.hg/tools/security/policies/example/chwall_ste/client_v1-security_policy.xml
+++ /dev/null
@@ -1,194 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
-<!--             This file defines the security policies, which     -->
-<!--             can be enforced by the Xen Access Control Module.  -->
-<!--             Currently: Chinese Wall and Simple Type Enforcement-->
-<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
-	<PolicyHeader>
-		<PolicyName>example.chwall_ste.client_v1</PolicyName>
-		<PolicyUrl>www.ibm.com/example/chwall_ste/client_v1</PolicyUrl>
-		<Date>2006-03-31</Date>
-	</PolicyHeader>
-	<!--                                                        -->
-	<!-- example of a simple type enforcement policy definition -->
-	<!--                                                        -->
-	<SimpleTypeEnforcement>
-		<SimpleTypeEnforcementTypes>
-			<Type>ste_SystemManagement</Type><!-- machine/security management -->
-			<Type>ste_PersonalFinances</Type><!-- personal finances -->
-			<Type>ste_InternetInsecure</Type><!-- games, active X, etc. -->
-			<Type>ste_DonatedCycles</Type><!-- donation to BOINC/seti@home -->
-			<Type>ste_PersistentStorageA</Type><!-- domain managing the harddrive A-->
-			<Type>ste_NetworkAdapter0</Type><!-- type of the domain managing ethernet adapter 0-->
-		</SimpleTypeEnforcementTypes>
-	</SimpleTypeEnforcement>
-	<!--                                             -->
-	<!-- example of a chinese wall type definition   -->
-	<!-- along with its conflict sets                -->
-	<!-- (typse in a confict set are exclusive, i.e. -->
-	<!--  once a Domain with one type of a set is    -->
-	<!--  running, no other Domain with another type -->
-	<!--  of the same conflict set can start.)       -->
-	<ChineseWall priority="PrimaryPolicyComponent">
-		<ChineseWallTypes>
-			<Type>cw_SystemManagement</Type>
-			<Type>cw_Sensitive</Type>
-			<Type>cw_Isolated</Type>
-			<Type>cw_Distrusted</Type>
-		</ChineseWallTypes>
-
-		<ConflictSets>
-			<Conflict name="Protection1">
-				<Type>cw_Sensitive</Type>
-				<Type>cw_Distrusted</Type>
-			</Conflict>
-		</ConflictSets>
-	</ChineseWall>
-	<SecurityLabelTemplate>
-		<SubjectLabels bootstrap="dom_SystemManagement">
-			<!-- single ste typed domains            -->
-			<!-- ACM enforces that only domains with -->
-			<!-- the same type can share information -->
-			<!--                                     -->
-			<!-- Bootstrap label is assigned to Dom0 -->
-			<VirtualMachineLabel>
-				<Name>dom_HomeBanking</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_PersonalFinances</Type>
-				</SimpleTypeEnforcementTypes>
-
-				<ChineseWallTypes>
-					<Type>cw_Sensitive</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<Name>dom_Fun</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_InternetInsecure</Type>
-				</SimpleTypeEnforcementTypes>
-
-				<ChineseWallTypes>
-					<Type>cw_Distrusted</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<!-- donating some cycles to seti@home -->
-				<Name>dom_BoincClient</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_DonatedCycles</Type>
-				</SimpleTypeEnforcementTypes>
-
-				<ChineseWallTypes>
-					<Type>cw_Isolated</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<!-- Domains with multiple ste types services; such domains   -->
-			<!-- must keep the types inside their domain safely confined. -->
-			<VirtualMachineLabel>
-				<Name>dom_SystemManagement</Name>
-				<SimpleTypeEnforcementTypes>
-					<!-- since dom0 needs access to every domain and -->
-					<!-- resource right now ... -->
-					<Type>ste_SystemManagement</Type>
-					<Type>ste_PersonalFinances</Type>
-					<Type>ste_InternetInsecure</Type>
-					<Type>ste_DonatedCycles</Type>
-					<Type>ste_PersistentStorageA</Type>
-					<Type>ste_NetworkAdapter0</Type>
-				</SimpleTypeEnforcementTypes>
-
-				<ChineseWallTypes>
-					<Type>cw_SystemManagement</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<!-- serves persistent storage to other domains -->
-				<Name>dom_StorageDomain</Name>
-				<SimpleTypeEnforcementTypes>
-					<!-- access right to the resource (hard drive a) -->
-					<Type>ste_PersistentStorageA</Type>
-					<!-- can serve following types -->
-					<Type>ste_PersonalFinances</Type>
-					<Type>ste_InternetInsecure</Type>
-				</SimpleTypeEnforcementTypes>
-
-				<ChineseWallTypes>
-					<Type>cw_SystemManagement</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-
-			<VirtualMachineLabel>
-				<!-- serves network access to other domains -->
-				<Name>dom_NetworkDomain</Name>
-				<SimpleTypeEnforcementTypes>
-					<!-- access right to the resource (ethernet card) -->
-					<Type>ste_NetworkAdapter0</Type>
-					<!-- can serve following types -->
-					<Type>ste_PersonalFinances</Type>
-					<Type>ste_InternetInsecure</Type>
-					<Type>ste_DonatedCycles</Type>
-				</SimpleTypeEnforcementTypes>
-
-				<ChineseWallTypes>
-					<Type>cw_SystemManagement</Type>
-				</ChineseWallTypes>
-			</VirtualMachineLabel>
-		</SubjectLabels>
-
-		<ObjectLabels>
-			<ResourceLabel>
-				<Name>res_ManagementResource</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_SystemManagement</Type>
-				</SimpleTypeEnforcementTypes>
-			</ResourceLabel>
-
-			<ResourceLabel>
-				<Name>res_HardDrive(hda)</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_PersistentStorageA</Type>
-				</SimpleTypeEnforcementTypes>
-			</ResourceLabel>
-
-			<ResourceLabel>
-				<Name>res_LogicalDiskPartition1(hda1)</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_PersonalFinances</Type>
-				</SimpleTypeEnforcementTypes>
-			</ResourceLabel>
-
-			<ResourceLabel>
-				<Name>res_LogicalDiskPartition2(hda2)</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_InternetInsecure</Type>
-				</SimpleTypeEnforcementTypes>
-			</ResourceLabel>
-
-			<ResourceLabel>
-				<Name>res_EthernetCard</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_NetworkAdapter0</Type>
-				</SimpleTypeEnforcementTypes>
-			</ResourceLabel>
-
-			<ResourceLabel>
-				<Name>res_SecurityToken</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_PersonalFinances</Type>
-				</SimpleTypeEnforcementTypes>
-			</ResourceLabel>
-
-			<ResourceLabel>
-				<Name>res_GraphicsAdapter</Name>
-				<SimpleTypeEnforcementTypes>
-					<Type>ste_SystemManagement</Type>
-				</SimpleTypeEnforcementTypes>
-			</ResourceLabel>
-		</ObjectLabels>
-	</SecurityLabelTemplate>
-</SecurityPolicyDefinition>
-
Index: root/xen-unstable.hg/docs/src/user.tex
===================================================================
--- root.orig/xen-unstable.hg/docs/src/user.tex
+++ root/xen-unstable.hg/docs/src/user.tex
@@ -2673,33 +2673,34 @@ one of these workload types. The XML Pol
       xsi:schemaLocation=
           "http://www.ibm.com ../../security_policy.xsd ">
 04     <PolicyHeader>
-05         <PolicyName>example.chwall_ste.test</PolicyName>
+05         <PolicyName>example.test</PolicyName>
 06         <Date>Wed Jul 12 17:32:59 2006</Date>
-07     </PolicyHeader>
-08
-09     <SimpleTypeEnforcement>
-10         <SimpleTypeEnforcementTypes>
-11             <Type>SystemManagement</Type>
-12             <Type>PepsiCo</Type>
-13             <Type>CocaCola</Type>
-14         </SimpleTypeEnforcementTypes>
-15     </SimpleTypeEnforcement>
-16
-17     <ChineseWall priority="PrimaryPolicyComponent">
-18         <ChineseWallTypes>
-19             <Type>SystemManagement</Type>
-20             <Type>PepsiCo</Type>
-21             <Type>CocaCola</Type>
-22         </ChineseWallTypes>
-23
-24         <ConflictSets>
-25             <Conflict name="RER1">
-26                 <Type>CocaCola</Type>
-27                 <Type>PepsiCo</Type>
-28             </Conflict>
-29        </ConflictSets>
-30     </ChineseWall>
-31
+07         <Version>1.0</Version>
+08     </PolicyHeader>
+09
+10     <SimpleTypeEnforcement>
+11         <SimpleTypeEnforcementTypes>
+12             <Type>SystemManagement</Type>
+13             <Type>PepsiCo</Type>
+14             <Type>CocaCola</Type>
+15         </SimpleTypeEnforcementTypes>
+16     </SimpleTypeEnforcement>
+17
+18     <ChineseWall priority="PrimaryPolicyComponent">
+19         <ChineseWallTypes>
+20             <Type>SystemManagement</Type>
+21             <Type>PepsiCo</Type>
+22             <Type>CocaCola</Type>
+23         </ChineseWallTypes>
+24
+25         <ConflictSets>
+26             <Conflict name="RER1">
+27                 <Type>CocaCola</Type>
+28                 <Type>PepsiCo</Type>
+29             </Conflict>
+30        </ConflictSets>
+31     </ChineseWall>
+32
 \end{verbatim}
 \end{scriptsize}
 \caption{Example XML security policy file -- Part I: Types and Rules Definition.}
Index: root/xen-unstable.hg/tools/security/xensec_ezpolicy
===================================================================
--- root.orig/xen-unstable.hg/tools/security/xensec_ezpolicy
+++ root/xen-unstable.hg/tools/security/xensec_ezpolicy
@@ -1131,15 +1131,16 @@ def dict_read(dictname, filename):
 
 #==================== Policy Generation/Translation functions
 
-def printPolicyHeader (fd, policyname, timestamp):
+def printPolicyHeader (fd, policyname, timestamp, version="1.0"):
     fd.write( """<?xml version=\"1.0\" encoding=\"UTF-8\"?>
 <!-- Auto-generated by ezPolicy        -->
 <SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd \">
     <PolicyHeader>
         <PolicyName>%s</PolicyName>
         <Date>%s</Date>
+        <Version>%s</Version>
     </PolicyHeader>
-""" % (policyname, timestamp))
+""" % (policyname, timestamp, version))
 
 
 
Index: root/xen-unstable.hg/tools/security/policies/example/client_v1-security_policy.xml
===================================================================
--- /dev/null
+++ root/xen-unstable.hg/tools/security/policies/example/client_v1-security_policy.xml
@@ -0,0 +1,195 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
+<!--             This file defines the security policies, which     -->
+<!--             can be enforced by the Xen Access Control Module.  -->
+<!--             Currently: Chinese Wall and Simple Type Enforcement-->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
+	<PolicyHeader>
+		<PolicyName>example.client_v1</PolicyName>
+		<PolicyUrl>www.ibm.com/example/client_v1</PolicyUrl>
+		<Date>2006-03-31</Date>
+		<Version>1.0</Version>
+	</PolicyHeader>
+	<!--                                                        -->
+	<!-- example of a simple type enforcement policy definition -->
+	<!--                                                        -->
+	<SimpleTypeEnforcement>
+		<SimpleTypeEnforcementTypes>
+			<Type>ste_SystemManagement</Type><!-- machine/security management -->
+			<Type>ste_PersonalFinances</Type><!-- personal finances -->
+			<Type>ste_InternetInsecure</Type><!-- games, active X, etc. -->
+			<Type>ste_DonatedCycles</Type><!-- donation to BOINC/seti@home -->
+			<Type>ste_PersistentStorageA</Type><!-- domain managing the harddrive A-->
+			<Type>ste_NetworkAdapter0</Type><!-- type of the domain managing ethernet adapter 0-->
+		</SimpleTypeEnforcementTypes>
+	</SimpleTypeEnforcement>
+	<!--                                             -->
+	<!-- example of a chinese wall type definition   -->
+	<!-- along with its conflict sets                -->
+	<!-- (typse in a confict set are exclusive, i.e. -->
+	<!--  once a Domain with one type of a set is    -->
+	<!--  running, no other Domain with another type -->
+	<!--  of the same conflict set can start.)       -->
+	<ChineseWall priority="PrimaryPolicyComponent">
+		<ChineseWallTypes>
+			<Type>cw_SystemManagement</Type>
+			<Type>cw_Sensitive</Type>
+			<Type>cw_Isolated</Type>
+			<Type>cw_Distrusted</Type>
+		</ChineseWallTypes>
+
+		<ConflictSets>
+			<Conflict name="Protection1">
+				<Type>cw_Sensitive</Type>
+				<Type>cw_Distrusted</Type>
+			</Conflict>
+		</ConflictSets>
+	</ChineseWall>
+	<SecurityLabelTemplate>
+		<SubjectLabels bootstrap="dom_SystemManagement">
+			<!-- single ste typed domains            -->
+			<!-- ACM enforces that only domains with -->
+			<!-- the same type can share information -->
+			<!--                                     -->
+			<!-- Bootstrap label is assigned to Dom0 -->
+			<VirtualMachineLabel>
+				<Name>dom_HomeBanking</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_PersonalFinances</Type>
+				</SimpleTypeEnforcementTypes>
+
+				<ChineseWallTypes>
+					<Type>cw_Sensitive</Type>
+				</ChineseWallTypes>
+			</VirtualMachineLabel>
+
+			<VirtualMachineLabel>
+				<Name>dom_Fun</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_InternetInsecure</Type>
+				</SimpleTypeEnforcementTypes>
+
+				<ChineseWallTypes>
+					<Type>cw_Distrusted</Type>
+				</ChineseWallTypes>
+			</VirtualMachineLabel>
+
+			<VirtualMachineLabel>
+				<!-- donating some cycles to seti@home -->
+				<Name>dom_BoincClient</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_DonatedCycles</Type>
+				</SimpleTypeEnforcementTypes>
+
+				<ChineseWallTypes>
+					<Type>cw_Isolated</Type>
+				</ChineseWallTypes>
+			</VirtualMachineLabel>
+
+			<!-- Domains with multiple ste types services; such domains   -->
+			<!-- must keep the types inside their domain safely confined. -->
+			<VirtualMachineLabel>
+				<Name>dom_SystemManagement</Name>
+				<SimpleTypeEnforcementTypes>
+					<!-- since dom0 needs access to every domain and -->
+					<!-- resource right now ... -->
+					<Type>ste_SystemManagement</Type>
+					<Type>ste_PersonalFinances</Type>
+					<Type>ste_InternetInsecure</Type>
+					<Type>ste_DonatedCycles</Type>
+					<Type>ste_PersistentStorageA</Type>
+					<Type>ste_NetworkAdapter0</Type>
+				</SimpleTypeEnforcementTypes>
+
+				<ChineseWallTypes>
+					<Type>cw_SystemManagement</Type>
+				</ChineseWallTypes>
+			</VirtualMachineLabel>
+
+			<VirtualMachineLabel>
+				<!-- serves persistent storage to other domains -->
+				<Name>dom_StorageDomain</Name>
+				<SimpleTypeEnforcementTypes>
+					<!-- access right to the resource (hard drive a) -->
+					<Type>ste_PersistentStorageA</Type>
+					<!-- can serve following types -->
+					<Type>ste_PersonalFinances</Type>
+					<Type>ste_InternetInsecure</Type>
+				</SimpleTypeEnforcementTypes>
+
+				<ChineseWallTypes>
+					<Type>cw_SystemManagement</Type>
+				</ChineseWallTypes>
+			</VirtualMachineLabel>
+
+			<VirtualMachineLabel>
+				<!-- serves network access to other domains -->
+				<Name>dom_NetworkDomain</Name>
+				<SimpleTypeEnforcementTypes>
+					<!-- access right to the resource (ethernet card) -->
+					<Type>ste_NetworkAdapter0</Type>
+					<!-- can serve following types -->
+					<Type>ste_PersonalFinances</Type>
+					<Type>ste_InternetInsecure</Type>
+					<Type>ste_DonatedCycles</Type>
+				</SimpleTypeEnforcementTypes>
+
+				<ChineseWallTypes>
+					<Type>cw_SystemManagement</Type>
+				</ChineseWallTypes>
+			</VirtualMachineLabel>
+		</SubjectLabels>
+
+		<ObjectLabels>
+			<ResourceLabel>
+				<Name>res_ManagementResource</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_SystemManagement</Type>
+				</SimpleTypeEnforcementTypes>
+			</ResourceLabel>
+
+			<ResourceLabel>
+				<Name>res_HardDrive(hda)</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_PersistentStorageA</Type>
+				</SimpleTypeEnforcementTypes>
+			</ResourceLabel>
+
+			<ResourceLabel>
+				<Name>res_LogicalDiskPartition1(hda1)</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_PersonalFinances</Type>
+				</SimpleTypeEnforcementTypes>
+			</ResourceLabel>
+
+			<ResourceLabel>
+				<Name>res_LogicalDiskPartition2(hda2)</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_InternetInsecure</Type>
+				</SimpleTypeEnforcementTypes>
+			</ResourceLabel>
+
+			<ResourceLabel>
+				<Name>res_EthernetCard</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_NetworkAdapter0</Type>
+				</SimpleTypeEnforcementTypes>
+			</ResourceLabel>
+
+			<ResourceLabel>
+				<Name>res_SecurityToken</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_PersonalFinances</Type>
+				</SimpleTypeEnforcementTypes>
+			</ResourceLabel>
+
+			<ResourceLabel>
+				<Name>res_GraphicsAdapter</Name>
+				<SimpleTypeEnforcementTypes>
+					<Type>ste_SystemManagement</Type>
+				</SimpleTypeEnforcementTypes>
+			</ResourceLabel>
+		</ObjectLabels>
+	</SecurityLabelTemplate>
+</SecurityPolicyDefinition>
+
Index: root/xen-unstable.hg/tools/security/Makefile
===================================================================
--- root.orig/xen-unstable.hg/tools/security/Makefile
+++ root/xen-unstable.hg/tools/security/Makefile
@@ -16,12 +16,6 @@ LDFLAGS    += $(shell xml2-config --libs
 ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_NULL_POLICY)
 POLICY=null
 endif
-ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_POLICY)
-POLICY=chwall
-endif
-ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY)
-POLICY=ste
-endif
 ifeq ($(ACM_DEFAULT_SECURITY_POLICY),ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY)
 POLICY=chwall_ste
 endif
@@ -46,7 +40,7 @@ ACM_SECGEN_HTMLDIR= /var/lib/xensec_gen
 ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR)/cgi-bin
 
 ACM_SCHEMA        = security_policy.xsd
-ACM_EXAMPLES      = chwall ste chwall_ste
+ACM_EXAMPLES      = client_v1 test
 ACM_POLICY_SUFFIX = security_policy.xml
 
 ifeq ($(ACM_SECURITY),y)
@@ -66,8 +60,7 @@ install: all $(ACM_CONFIG_FILE)
 	$(INSTALL_DATA) policies/$(ACM_SCHEMA) $(DESTDIR)$(ACM_POLICY_DIR)
 	$(INSTALL_DIR) $(DESTDIR)$(ACM_POLICY_DIR)/example
 	for i in $(ACM_EXAMPLES); do \
-		$(INSTALL_DIR) $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
-		$(INSTALL_DATA) policies/example/$$i/client_v1-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/example/$$i; \
+		$(INSTALL_DATA) policies/example/$$i-$(ACM_POLICY_SUFFIX) $(DESTDIR)$(ACM_POLICY_DIR)/example/; \
 	done
 	$(INSTALL_DIR) $(DESTDIR)$(ACM_SCRIPT_DIR)
 	$(INSTALL_PROG) $(ACM_SCRIPTS) $(DESTDIR)$(ACM_SCRIPT_DIR)
@@ -94,10 +87,10 @@ build: $(ACM_INST_TOOLS) $(ACM_NOINST_TO
 	chmod 700 $(ACM_SCRIPTS)
 
 xensec_tool: $(OBJS_TOOL)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -L$(XEN_LIBXC) -lxenctrl
+	$(CC) -g $(CFLAGS) $(LDFLAGS) -O0 -o $@ $^ -L$(XEN_LIBXC) -lxenctrl
 
 xensec_xml2bin: $(OBJS_XML2BIN)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
+	$(CC) -g $(CFLAGS) $(LDFLAGS) -O0 -o $@ $^
 
 xensec_gen: xensec_gen.py
 	cp -f $^ $@
Index: root/xen-unstable.hg/tools/security/policies/example/test-security_policy.xml
===================================================================
--- /dev/null
+++ root/xen-unstable.hg/tools/security/policies/example/test-security_policy.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Auto-generated by ezPolicy        -->
+<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
+    <PolicyHeader>
+        <PolicyName>example.test</PolicyName>
+        <Date>Mon Apr 16 13:13:59 2007</Date>
+        <Version>1.0</Version>
+    </PolicyHeader>
+
+    <SimpleTypeEnforcement>
+        <SimpleTypeEnforcementTypes>
+            <Type>SystemManagement</Type>
+            <Type>PepsiCo</Type>
+            <Type>CocaCola</Type>
+        </SimpleTypeEnforcementTypes>
+    </SimpleTypeEnforcement>
+
+    <ChineseWall priority="PrimaryPolicyComponent">
+        <ChineseWallTypes>
+            <Type>SystemManagement</Type>
+            <Type>PepsiCo</Type>
+            <Type>CocaCola</Type>
+            <Type>VIOServer</Type>
+        </ChineseWallTypes>
+
+    </ChineseWall>
+
+    <SecurityLabelTemplate>
+        <SubjectLabels bootstrap="SystemManagement">
+            <VirtualMachineLabel>
+                <Name>SystemManagement</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>SystemManagement</Type>
+                    <Type>PepsiCo</Type>
+                    <Type>CocaCola</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>SystemManagement</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+            <VirtualMachineLabel>
+                <Name>PepsiCo</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>PepsiCo</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>PepsiCo</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+            <VirtualMachineLabel>
+                <Name>CocaCola</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>CocaCola</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>CocaCola</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+
+            <VirtualMachineLabel>
+                <Name>VIO</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>CocaCola</Type>
+                    <Type>PepsiCo</Type>
+                </SimpleTypeEnforcementTypes>
+                <ChineseWallTypes>
+                    <Type>VIOServer</Type>
+                </ChineseWallTypes>
+            </VirtualMachineLabel>
+        </SubjectLabels>
+
+        <ObjectLabels>
+            <ResourceLabel>
+                <Name>SystemManagement</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>SystemManagement</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+            <ResourceLabel>
+                <Name>PepsiCo</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>PepsiCo</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+
+            <ResourceLabel>
+                <Name>CocaCola</Name>
+                <SimpleTypeEnforcementTypes>
+                    <Type>CocaCola</Type>
+                </SimpleTypeEnforcementTypes>
+            </ResourceLabel>
+        </ObjectLabels>
+    </SecurityLabelTemplate>
+</SecurityPolicyDefinition>
Index: root/xen-unstable.hg/tools/security/python/xensec_gen/cgi-bin/policy.cgi
===================================================================
--- root.orig/xen-unstable.hg/tools/security/python/xensec_gen/cgi-bin/policy.cgi
+++ root/xen-unstable.hg/tools/security/python/xensec_gen/cgi-bin/policy.cgi
@@ -1816,6 +1816,7 @@ def sendPHeaderXml( ):
 	# Policy header definition
 	print '<PolicyHeader>'
 	print '  <PolicyName>' + formPolicyName[1] + '</PolicyName>'
+	print '  <Version>1.0</Version>'
 	if len( formPolicyUrl[1] ) > 0:
 		print '  <PolicyUrl>' + formPolicyUrl[1] + '</PolicyUrl>'
 	if len( formPolicyRef[1] ) > 0:
Index: root/xen-unstable.hg/tools/xm-test/tests/security-acm/xm-test-security_policy.xml
===================================================================
--- root.orig/xen-unstable.hg/tools/xm-test/tests/security-acm/xm-test-security_policy.xml
+++ root/xen-unstable.hg/tools/xm-test/tests/security-acm/xm-test-security_policy.xml
@@ -4,6 +4,7 @@
     <PolicyHeader>
         <PolicyName>xm-test</PolicyName>
         <Date>Fri Sep 29 14:44:38 2006</Date>
+        <Version>1.0</Version>
     </PolicyHeader>
 
     <SimpleTypeEnforcement>
Index: root/xen-unstable.hg/Config.mk
===================================================================
--- root.orig/xen-unstable.hg/Config.mk
+++ root/xen-unstable.hg/Config.mk
@@ -83,8 +83,6 @@ ACM_SECURITY ?= n
 # ACM_DEFAULT_SECURITY_POLICY
 # Supported models are:
 #	ACM_NULL_POLICY
-#	ACM_CHINESE_WALL_POLICY
-#	ACM_SIMPLE_TYPE_ENFORCEMENT_POLICY
 #	ACM_CHINESE_WALL_AND_SIMPLE_TYPE_ENFORCEMENT_POLICY
 ACM_DEFAULT_SECURITY_POLICY ?= ACM_NULL_POLICY