Index: root/xen-unstable.hg/tools/python/xen/xm/main.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xm/main.py
+++ root/xen-unstable.hg/tools/python/xen/xm/main.py
@@ -855,7 +855,13 @@ def parse_doms_info(info):
         from xen.util import security
         parsed_info['seclabel'] = security.get_security_printlabel(info)
     else:
-        parsed_info['seclabel'] = ""
+        label = get_info('security_label', str, '')
+        tmp = label.split(":")
+        if len(tmp) != 3:
+            label = ""
+        else:
+            label = tmp[2]
+        parsed_info['seclabel'] = label
 
     if serverType == SERVER_XEN_API:
         parsed_info['mem'] = get_info('memory_actual', int, 0) / 1024
@@ -920,21 +926,19 @@ def xm_label_list(doms):
     format = '%(name)-32s %(domid)3s %(mem)5d %(vcpus)5d %(state)10s ' \
              '%(cpu_time)8.1f %(seclabel)9s'
 
-    if serverType != SERVER_XEN_API:
-        from xen.util import security
+    from xen.util import security
         
-        for dom in doms:
-            d = parse_doms_info(dom)
-
-            if security.active_policy not in ['INACTIVE', 'NULL', 'DEFAULT']:
-                if not d['seclabel']:
-                    d['seclabel'] = 'ERROR'
-            elif security.active_policy in ['DEFAULT']:
-                d['seclabel'] = 'DEFAULT'
-            else:
-                d['seclabel'] = 'INACTIVE'
+    for dom in doms:
+        d = parse_doms_info(dom)
+        if security.active_policy not in ['INACTIVE', 'NULL', 'DEFAULT']:
+            if not d['seclabel']:
+                d['seclabel'] = 'ERROR'
+        elif security.active_policy in ['DEFAULT']:
+            d['seclabel'] = 'DEFAULT'
+        else:
+            d['seclabel'] = 'INACTIVE'
 
-            output.append((format % d, d['seclabel']))
+        output.append((format % d, d['seclabel']))
         
     #sort by labels
     output.sort(lambda x,y: cmp( x[1].lower(), y[1].lower()))
Index: root/xen-unstable.hg/tools/python/xen/xend/XendAPI.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xend/XendAPI.py
+++ root/xen-unstable.hg/tools/python/xen/xend/XendAPI.py
@@ -1268,7 +1268,8 @@ class XendAPI(object):
                   'HVM_boot_params',
                   'platform',
                   'PCI_bus',
-                  'other_config']
+                  'other_config',
+                  'security_label']
 
     VM_methods = [('clone', 'VM'),
                   ('start', None),
@@ -1327,7 +1328,8 @@ class XendAPI(object):
         'HVM_boot_params',
         'platform',
         'PCI_bus',
-        'other_config']
+        'other_config',
+        'security_label']
         
     def VM_get(self, name, session, vm_ref):
         return xen_api_success(
@@ -1689,7 +1691,17 @@ class XendAPI(object):
         if dom:
             return xen_api_success([dom.get_uuid()])
         return xen_api_success([])
-    
+
+    def VM_get_security_label(self, session, vm_ref):
+        dom = XendDomain.instance().get_vm_by_uuid(vm_ref)
+        if not dom:
+            return xen_api_error(['VM_HANDLE_INVALID', vm_ref])
+        label = dom.get_security_label()
+        return xen_api_success(label)
+
+    def VM_set_security_label(self, session, vm_ref, sec_label, old_label):
+        return xen_api_todo()
+
     def VM_create(self, session, vm_struct):
         xendom = XendDomain.instance()
         domuuid = XendTask.log_progress(0, 100,
@@ -1742,7 +1754,8 @@ class XendAPI(object):
             'other_config': xeninfo.info.get('other_config', {}),
             'domid': domid is None and -1 or domid,
             'is_control_domain': xeninfo.info['is_control_domain'],
-            'metrics': xeninfo.get_metrics()
+            'metrics': xeninfo.get_metrics(),
+            'security_label': xeninfo.get_security_label(),
         }
         return xen_api_success(record)
 
Index: root/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py
===================================================================
--- root.orig/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py
+++ root/xen-unstable.hg/tools/python/xen/xend/XendDomainInfo.py
@@ -2113,7 +2113,10 @@ class XendDomainInfo:
         return self.info.get('tools_version', {})
     def get_metrics(self):
         return self.metrics.get_uuid();
-    
+
+    def get_security_label(self):
+        return "TBD:TBD:TBD"
+
     def get_on_shutdown(self):
         after_shutdown = self.info.get('actions_after_shutdown')
         if not after_shutdown or after_shutdown not in XEN_API_ON_NORMAL_EXIT:
Index: root/xen-unstable.hg/docs/xen-api/xenapi-datamodel.tex
===================================================================
--- root.orig/xen-unstable.hg/docs/xen-api/xenapi-datamodel.tex
+++ root/xen-unstable.hg/docs/xen-api/xenapi-datamodel.tex
@@ -1153,6 +1153,7 @@ $\mathit{RO}_\mathit{run}$ &  {\tt domid
 $\mathit{RO}_\mathit{run}$ &  {\tt is\_control\_domain} & bool & true if this is a control domain (domain 0 or a driver domain) \\
 $\mathit{RO}_\mathit{run}$ &  {\tt metrics} & VM\_metrics ref & metrics associated with this VM \\
 $\mathit{RO}_\mathit{run}$ &  {\tt guest\_metrics} & VM\_guest\_metrics ref & metrics associated with the running guest \\
+$\mathit{RO}_\mathit{run}$ &  {\tt security/label} & string & the VM's security label \\
 \hline
 \end{longtable}
 \subsection{RPCs associated with class: VM}
@@ -3918,6 +3919,78 @@ Get the guest\_metrics field of the give
 \end{tabular}
 
 \vspace{0.3cm}
+\subsubsection{RPC name:~get\_security\_label}
+
+{\bf Overview:}
+Get the security label field of the given VM.
+
+
+ \noindent {\bf Signature:}
+\begin{verbatim} string get_security_label (session_id s, VM ref self)\end{verbatim}
+
+
+\noindent{\bf Arguments:}
+
+
+\vspace{0.3cm}
+\begin{tabular}{|c|c|p{7cm}|}
+ \hline
+{\bf type} & {\bf name} & {\bf description} \\ \hline
+{\tt VM ref } & self & reference to the object \\ \hline
+
+\end{tabular}
+
+\vspace{0.3cm}
+
+ \noindent {\bf Return Type:}
+{\tt
+string
+}
+
+
+value of the field
+\vspace{0.3cm}
+\vspace{0.3cm}
+\vspace{0.3cm}
+\subsubsection{RPC name:~set\_security\_label}
+
+{\bf Overview:}
+Set the security label field of the given VM. Refer to the XSPolicy class
+for the format of the security label.
+
+ \noindent {\bf Signature:}
+\begin{verbatim} string set_security_label (session_id s, VM ref self, string
+security_label, string old_label)\end{verbatim}
+
+
+\noindent{\bf Arguments:}
+
+
+\vspace{0.3cm}
+\begin{tabular}{|c|c|p{7cm}|}
+ \hline
+{\bf type} & {\bf name} & {\bf description} \\ \hline
+{\tt VM ref } & self & reference to the object \\ \hline
+{\tt string } & security\_label & security label for the VM \\ \hline
+{\tt string } & old\_label & Optional old security label that the security
+label must currently have for the change to succeed\\ \hline
+
+\end{tabular}
+
+\vspace{0.3cm}
+
+ \noindent {\bf Return Type:}
+{\tt
+int
+}
+
+
+Returns the ssidref in case of an VM that is currently running or
+paused, zero in case of a dormant VM (halted, suspended) or a negative
+error value in case an error occurred.
+\vspace{0.3cm}
+\vspace{0.3cm}
+\vspace{0.3cm}
 
  \noindent {\bf Return Type:} 
 {\tt 
Index: root/xen-unstable.hg/tools/libxen/src/xen_vm.c
===================================================================
--- root.orig/xen-unstable.hg/tools/libxen/src/xen_vm.c
+++ root/xen-unstable.hg/tools/libxen/src/xen_vm.c
@@ -1636,3 +1636,42 @@ xen_vm_get_uuid(xen_session *session, ch
     XEN_CALL_("VM.get_uuid");
     return session->ok;
 }
+
+
+bool
+xen_vm_set_security_label(xen_session *session, int64_t *result, xen_vm vm,
+                          char *label, char *oldlabel)
+{
+    abstract_value param_values[] =
+        {
+            { .type = &abstract_type_string,
+              .u.string_val = vm },
+            { .type = &abstract_type_string,
+              .u.string_val = label },
+            { .type = &abstract_type_string,
+              .u.string_val = oldlabel },
+        };
+
+    abstract_type result_type = abstract_type_int;
+
+    *result = 0;
+    XEN_CALL_("VM.set_security_label");
+    return session->ok;
+}
+
+
+bool
+xen_vm_get_security_label(xen_session *session, char **result, xen_vm vm)
+{
+    abstract_value param_values[] =
+        {
+            { .type = &abstract_type_string,
+              .u.string_val = vm },
+        };
+
+    abstract_type result_type = abstract_type_string;
+
+    *result = NULL;
+    XEN_CALL_("VM.get_security_label");
+    return session->ok;
+}
Index: root/xen-unstable.hg/tools/libxen/include/xen_vm.h
===================================================================
--- root.orig/xen-unstable.hg/tools/libxen/include/xen_vm.h
+++ root/xen-unstable.hg/tools/libxen/include/xen_vm.h
@@ -844,4 +844,17 @@ extern bool
 xen_vm_get_all(xen_session *session, struct xen_vm_set **result);
 
 
+/**
+ * Set the security label of a domain.
+ */
+extern bool
+xen_vm_set_security_label(xen_session *session, int64_t *result, xen_vm vm,
+                          char *label, char *oldlabel);
+
+/**
+ * Get the security label of a domain.
+ */
+extern bool
+xen_vm_get_security_label(xen_session *session, char **result, xen_vm vm);
+
 #endif