ia64/xen-unstable

changeset 16546:3df07c94c9aa

xm-test: An additional ACM security test case for the test suite.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Thu Dec 06 12:12:29 2007 +0000 (2007-12-06)
parents 0f9b5ab59579
children 3221dff4b460
files tools/xm-test/lib/XmTestLib/acm.py tools/xm-test/tests/security-acm/10_security-acm_pol_update.py tools/xm-test/tests/security-acm/Makefile.am tools/xm-test/tests/security-acm/xm-test-update-security_policy.xml
line diff
     1.1 --- a/tools/xm-test/lib/XmTestLib/acm.py	Thu Dec 06 11:56:51 2007 +0000
     1.2 +++ b/tools/xm-test/lib/XmTestLib/acm.py	Thu Dec 06 12:12:29 2007 +0000
     1.3 @@ -30,11 +30,17 @@ except:
     1.4  
     1.5  labeled_resources = {}
     1.6  acm_verbose = False
     1.7 +policy='xm-test'
     1.8 +
     1.9  
    1.10  def isACMEnabled():
    1.11      return security.on()
    1.12  
    1.13 -def ACMSetPolicy(policy='xm-test'):
    1.14 +def setCurrentPolicy(plcy):
    1.15 +    global policy
    1.16 +    policy = plcy
    1.17 +
    1.18 +def ACMSetPolicy():
    1.19      cmd='xm dumppolicy | grep -E "^POLICY REFERENCE = ' + policy + '.$"'
    1.20      s, o = traceCommand(cmd)
    1.21      if o != "":
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/tools/xm-test/tests/security-acm/10_security-acm_pol_update.py	Thu Dec 06 12:12:29 2007 +0000
     2.3 @@ -0,0 +1,350 @@
     2.4 +#!/usr/bin/python
     2.5 +
     2.6 +# Copyright (C) International Business Machines Corp., 2006
     2.7 +# Author: Stefan Berger <stefanb@us.ibm.com>
     2.8 +#
     2.9 +
    2.10 +import os
    2.11 +import re
    2.12 +import commands
    2.13 +from XmTestLib import *
    2.14 +import xen.util.xsm.xsm as security
    2.15 +from xen.util import xsconstants
    2.16 +
    2.17 +def checkLabel(labeldata, expected, domname):
    2.18 +    if labeldata[0] != expected[0]:
    2.19 +        FAIL("Policy type of %s is bad: %s" % (domname, labeldata[0]))
    2.20 +    if labeldata[1] != expected[1]:
    2.21 +        FAIL("Unexpected policy indicated in %s label '%s', expected '%s'." %
    2.22 +             (domname, labeldata[1], expected[1]))
    2.23 +    if labeldata[2] != expected[2]:
    2.24 +        FAIL("%s does not have '%s' label but '%s'." %
    2.25 +             (domname, expected[2], labeldata[2]))
    2.26 +
    2.27 +testpolicy = "xm-test"
    2.28 +testlabel1 = "blue"
    2.29 +testlabel2 = "red"
    2.30 +testlabel3 = "green"
    2.31 +
    2.32 +s, o = traceCommand('xm resources | grep -E "^[phy|file|vlan]" ')
    2.33 +resnames = []
    2.34 +if o:
    2.35 +    resnames = o.split('\n')
    2.36 +
    2.37 +    for res in resnames:
    2.38 +        s, o = traceCommand('xm rmlabel res %s' % res)
    2.39 +
    2.40 +#Unlabeled domain must not start under xm-test policy
    2.41 +domain_ul = XmTestDomain(name='domain-unlabeled',
    2.42 +                         extraConfig=None)
    2.43 +del domain_ul.config.opts['access_control']
    2.44 +try:
    2.45 +    domain_ul.start(noConsole=True)
    2.46 +    FAIL("Could start unlabeled domain.")
    2.47 +except DomainError, e:
    2.48 +    pass
    2.49 +
    2.50 +
    2.51 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
    2.52 +
    2.53 +domain_blue = XmTestDomain(name='domain-%s' % testlabel1,
    2.54 +                           extraConfig=config)
    2.55 +
    2.56 +config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel3)}
    2.57 +
    2.58 +domain_green = XmTestDomain(name='domain-%s' % testlabel3,
    2.59 +                            extraConfig=config)
    2.60 +
    2.61 +
    2.62 +try:
    2.63 +    domain_blue.start(noConsole=True)
    2.64 +except DomainError, e:
    2.65 +    if verbose:
    2.66 +        print e.extra
    2.67 +    FAIL("Unable to start blue labeled test domain")
    2.68 +
    2.69 +s, o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
    2.70 +if s:
    2.71 +    FAIL("Could not get the label of Domain-0")
    2.72 +
    2.73 +info = o.strip().split(' ')
    2.74 +labeldata = info[-1].split(':')
    2.75 +if len(labeldata) != 3:
    2.76 +    FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
    2.77 +checkLabel(labeldata,
    2.78 +           [xsconstants.ACM_POLICY_ID, "xm-test", "SystemManagement"],
    2.79 +           "Domain-0")
    2.80 +
    2.81 +# Should be able to set the Domain-0 label to blue
    2.82 +s, o = traceCommand('xm addlabel blue mgt Domain-0')
    2.83 +if s:
    2.84 +    FAIL("Could not set the label of Domain-0 to 'blue'.")
    2.85 +s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
    2.86 +if s:
    2.87 +    FAIL("Could not get the label of Domain-0")
    2.88 +
    2.89 +info = o.strip().split()
    2.90 +labeldata = info[-1].split(':')
    2.91 +if len(labeldata) != 3:
    2.92 +     FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
    2.93 +checkLabel(labeldata,
    2.94 +           [xsconstants.ACM_POLICY_ID, "xm-test", "blue"],
    2.95 +           "Domain-0")
    2.96 +
    2.97 +#Should not be able to set the label of Domain-0 to 'red'
    2.98 +s, o = traceCommand('xm addlabel red mgt Domain-0')
    2.99 +if not s:
   2.100 +    FAIL("Could set the label of Domain-0 to 'red'.")
   2.101 +s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
   2.102 +if s:
   2.103 +    FAIL("Could not get the label of Domain-0")
   2.104 +
   2.105 +info = o.strip().split()
   2.106 +labeldata = info[-1].split(':')
   2.107 +if len(labeldata) != 3:
   2.108 +     FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
   2.109 +checkLabel(labeldata,
   2.110 +           [xsconstants.ACM_POLICY_ID, "xm-test", "blue"],
   2.111 +           "Domain-0")
   2.112 +
   2.113 +# Should be able to set the label of Domain-0 to 'SystemManagement'
   2.114 +s, o = traceCommand('xm addlabel SystemManagement mgt Domain-0')
   2.115 +if s:
   2.116 +    FAIL("Could not set the label of Domain-0 to 'SystemManagement'.")
   2.117 +s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
   2.118 +if s:
   2.119 +    FAIL("Could not get the label of Domain-0")
   2.120 +
   2.121 +info = o.strip().split()
   2.122 +labeldata = info[-1].split(':')
   2.123 +if len(labeldata) != 3:
   2.124 +     FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
   2.125 +checkLabel(labeldata,
   2.126 +           [xsconstants.ACM_POLICY_ID, "xm-test", "SystemManagement"],
   2.127 +           "Domain-0")
   2.128 +
   2.129 +#Label some resource green
   2.130 +#Label some resource red
   2.131 +#Label some resource blue
   2.132 +
   2.133 +s, o = traceCommand('xm addlabel green res file:/tmp/green')
   2.134 +if s:
   2.135 +    FAIL("Could not label resource 'green'.")
   2.136 +s, o = traceCommand('xm addlabel red res file:/tmp/red')
   2.137 +if s:
   2.138 +    FAIL("Could not label resource 'red'.")
   2.139 +s, o = traceCommand('xm addlabel blue res file:/tmp/blue')
   2.140 +if s:
   2.141 +    FAIL("Could not label resrouce 'blue'")
   2.142 +
   2.143 +# Start a green domain
   2.144 +try:
   2.145 +    domain_green.start(noConsole=True)
   2.146 +except DomainError, e:
   2.147 +    if verbose:
   2.148 +        print e.extra
   2.149 +    FAIL("Unable to start green labeled test domain")
   2.150 +
   2.151 +# Update the system's policy. Should not work, since blue Domain is running
   2.152 +s, o = traceCommand('xm setpolicy ACM xm-test-update')
   2.153 +if not s:
   2.154 +    FAIL("Could set the new policy even though blue domain is running.")
   2.155 +
   2.156 +s, o = traceCommand('xm getpolicy | grep "Policy name"')
   2.157 +info = o.split(':')
   2.158 +poldata = [i.strip() for i in info]
   2.159 +
   2.160 +if poldata[1] != 'xm-test':
   2.161 +   FAIL("Policy should be 'xm-test' but is now '%s'." % poldata[1])
   2.162 +
   2.163 +# Check that no labels have changed
   2.164 +s, o = traceCommand('xm getlabel res file:/tmp/green')
   2.165 +if s:
   2.166 +    FAIL("Could not get label for green resource.")
   2.167 +label=o.strip()
   2.168 +if label != 'ACM:xm-test:green':
   2.169 +    FAIL("Label for green resource has changed to '%s', but should not have,"
   2.170 +         % label)
   2.171 +
   2.172 +s, o = traceCommand('xm getlabel res file:/tmp/red')
   2.173 +if s:
   2.174 +    FAIL("Could not get label for red resource.")
   2.175 +label=o.strip()
   2.176 +if label != 'ACM:xm-test:red':
   2.177 +    FAIL("Label for red resource has changed to '%s', but should not have,"
   2.178 +         % label)
   2.179 +
   2.180 +s, o = traceCommand('xm getlabel res file:/tmp/blue')
   2.181 +if s:
   2.182 +    FAIL("Could not get label for blue resource.")
   2.183 +label=o.strip()
   2.184 +if label != 'ACM:xm-test:blue':
   2.185 +    FAIL("Label for blue resource has changed to '%s', but should not have,"
   2.186 +         % label)
   2.187 +
   2.188 +# Terminate blue domain
   2.189 +domain_blue.stop()
   2.190 +
   2.191 +# Update the system's policy. Should work and rename the green domain to GREEN
   2.192 +s, o = traceCommand('xm setpolicy ACM xm-test-update')
   2.193 +if s:
   2.194 +    FAIL("Could not set the new policy.")
   2.195 +
   2.196 +acm.setCurrentPolicy('xm-test-update')
   2.197 +
   2.198 +s, o = traceCommand('xm getpolicy | grep "Policy name"')
   2.199 +info = o.split(':')
   2.200 +poldata = [i.strip() for i in info]
   2.201 +
   2.202 +if poldata[1] != 'xm-test-update':
   2.203 +   FAIL("Policy should be 'xm-test-update' but is now '%s'." % poldata[1])
   2.204 +
   2.205 +# check previously labeled resources
   2.206 +#  - green should be GREEN now
   2.207 +#  - blue should have been invalidated
   2.208 +#  - red should be the same
   2.209 +s, o = traceCommand('xm getlabel res file:/tmp/green')
   2.210 +if s:
   2.211 +    FAIL("Could not get label for GREEN resource.")
   2.212 +label=o.strip()
   2.213 +if label != 'ACM:xm-test-update:GREEN':
   2.214 +    FAIL("Label for green resource has changed to '%s', but should not have,"
   2.215 +         % label)
   2.216 +
   2.217 +s, o = traceCommand('xm getlabel res file:/tmp/red')
   2.218 +if s:
   2.219 +    FAIL("Could not get label for RED resource.")
   2.220 +label=o.strip()
   2.221 +if label != 'ACM:xm-test-update:RED':
   2.222 +    FAIL("Label for RED resource has changed to '%s', expected is '%s',"
   2.223 +         % (label,'ACM:xm-test-update:RED'))
   2.224 +
   2.225 +s, o = traceCommand('xm getlabel res file:/tmp/blue')
   2.226 +if s:
   2.227 +    FAIL("Could not get label for blue resource.")
   2.228 +label=o.strip()
   2.229 +if label != 'INV_ACM:xm-test:blue':
   2.230 +    FAIL("Label for blue resource has changed to '%s', expected is '%s',"
   2.231 +         % (label,'INV_ACM:xm-test:blue'))
   2.232 +
   2.233 +config = {"access_control":"policy=%s,label=%s" % ('xm-test-update',testlabel2)}
   2.234 +
   2.235 +domain_red = XmTestDomain(name='domain-%s' % testlabel2,
   2.236 +                          extraConfig=config)
   2.237 +
   2.238 +# Start the red domain - should not work due to conflict set
   2.239 +try:
   2.240 +    domain_red.start(noConsole=True)
   2.241 +    FAIL("Could start 'red' domain.")
   2.242 +except DomainError, e:
   2.243 +    pass
   2.244 +
   2.245 +# Terminate GREEN domain
   2.246 +domain_green.destroy()
   2.247 +
   2.248 +# Start the red domain - should work now
   2.249 +try:
   2.250 +    domain_red.start()
   2.251 +except DomainError, e:
   2.252 +    FAIL("Could not start 'red' domain.")
   2.253 +
   2.254 +# Stop the red domain.
   2.255 +domain_red.destroy()
   2.256 +
   2.257 +# Make Domain-0 GREEN
   2.258 +s, o = traceCommand('xm addlabel GREEN mgt Domain-0')
   2.259 +if s:
   2.260 +    FAIL("Could not set Domain-0's label to 'GREEN'.")
   2.261 +s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
   2.262 +if s:
   2.263 +    FAIL("Could not get the label of Domain-0")
   2.264 +
   2.265 +info = o.strip().split()
   2.266 +labeldata = info[-1].split(':')
   2.267 +if len(labeldata) != 3:
   2.268 +    FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
   2.269 +checkLabel(labeldata,
   2.270 +           [xsconstants.ACM_POLICY_ID, "xm-test-update", "GREEN"],
   2.271 +           "Domain-0")
   2.272 +
   2.273 +# Start the red domain - should not work due to conflict set
   2.274 +try:
   2.275 +    domain_red.start()
   2.276 +    FAIL("Could start 'red' domain.")
   2.277 +except DomainError, e:
   2.278 +    pass
   2.279 +
   2.280 +# Set Domain-0's domain to SystemManagement
   2.281 +s, o = traceCommand('xm addlabel SystemManagement mgt Domain-0')
   2.282 +if s:
   2.283 +    FAIL("Could not set Domain-0's label to SystemManagement.")
   2.284 +
   2.285 +# Start unlabeled domain - should work
   2.286 +try:
   2.287 +    domain_ul.start(noConsole=True)
   2.288 +except DomainError, e:
   2.289 +    FAIL("Could not start unlabeled domain.")
   2.290 +
   2.291 +# Stop red domain
   2.292 +domain_red.destroy()
   2.293 +
   2.294 +# reset the policy - should not work
   2.295 +s, o = traceCommand('xm resetpolicy')
   2.296 +if not s:
   2.297 +    FAIL("Could reset the policy.")
   2.298 +
   2.299 +# Stop unlabeled domain
   2.300 +domain_ul.destroy()
   2.301 +
   2.302 +
   2.303 +# Mark Domain-0 as red. This must not have any effect on the later reset
   2.304 +s, o = traceCommand('xm addlabel red mgt Domain-0')
   2.305 +if s:
   2.306 +    FAIL("Could not set Domain-0's label to 'red'.")
   2.307 +s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
   2.308 +if s:
   2.309 +    FAIL("Could not get the label of Domain-0")
   2.310 +
   2.311 +info = o.strip().split()
   2.312 +labeldata = info[-1].split(':')
   2.313 +if len(labeldata) != 3:
   2.314 +    FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
   2.315 +checkLabel(labeldata,
   2.316 +           [xsconstants.ACM_POLICY_ID, "xm-test-update", "red"],
   2.317 +           "Domain-0")
   2.318 +
   2.319 +# reset the policy - should work
   2.320 +s, o = traceCommand('xm resetpolicy')
   2.321 +if s:
   2.322 +    FAIL("Could not reset the policy.")
   2.323 +
   2.324 +# check previously labeled resources
   2.325 +#  - GREEN should be invalid
   2.326 +#  - red should be invalid
   2.327 +#  - blue should be invalid
   2.328 +s, o = traceCommand('xm getlabel res file:/tmp/green')
   2.329 +if s:
   2.330 +    FAIL("Could not get label for GREEN resource.")
   2.331 +label=o.strip()
   2.332 +exp='INV_ACM:xm-test-update:GREEN'
   2.333 +if label != exp:
   2.334 +    FAIL("Label for green resource has changed to '%s', but should be '%s',"
   2.335 +         % (label, exp))
   2.336 +
   2.337 +s, o = traceCommand('xm getlabel res file:/tmp/red')
   2.338 +if s:
   2.339 +    FAIL("Could not get label for RED resource.")
   2.340 +label=o.strip()
   2.341 +exp='INV_ACM:xm-test-update:RED'
   2.342 +if label != exp:
   2.343 +    FAIL("Label for RED resource has changed to '%s', but should be '%s'.,"
   2.344 +         % (label, exp))
   2.345 +
   2.346 +s, o = traceCommand('xm getlabel res file:/tmp/blue')
   2.347 +if s:
   2.348 +    FAIL("Could not get label for blue resource.")
   2.349 +label=o.strip()
   2.350 +exp='INV_ACM:xm-test:blue'
   2.351 +if label != exp:
   2.352 +    FAIL("Label for blue resource has changed to '%s', but should be '%s',"
   2.353 +         % (label, exp))
     3.1 --- a/tools/xm-test/tests/security-acm/Makefile.am	Thu Dec 06 11:56:51 2007 +0000
     3.2 +++ b/tools/xm-test/tests/security-acm/Makefile.am	Thu Dec 06 12:12:29 2007 +0000
     3.3 @@ -8,7 +8,8 @@ TESTS = 01_security-acm_basic.test \
     3.4          06_security-acm_dom_block_attach.test \
     3.5          07_security-acm_pol_update.test \
     3.6          08_security-acm_xapi.test \
     3.7 -        09_security-acm_pol_update.test
     3.8 +        09_security-acm_pol_update.test \
     3.9 +        10_security-acm_pol_update.test
    3.10  
    3.11  XFAIL_TESTS =
    3.12  
    3.13 @@ -19,8 +20,9 @@ TESTS_ENVIRONMENT=@TENV@
    3.14  	cp $< $@
    3.15  	chmod +x $@
    3.16  	@if [ -d /etc/xen/acm-security/policies ]; then \
    3.17 -		cp -f xm-test-security_policy.xml      \
    3.18 -		      /etc/xen/acm-security/policies;  \
    3.19 +		cp -f xm-test-security_policy.xml       \
    3.20 +		      xm-test-update-security_policy.xml\
    3.21 +		      /etc/xen/acm-security/policies;   \
    3.22  	fi;
    3.23  
    3.24  clean-local: am_config_clean-local
     4.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.2 +++ b/tools/xm-test/tests/security-acm/xm-test-update-security_policy.xml	Thu Dec 06 12:12:29 2007 +0000
     4.3 @@ -0,0 +1,117 @@
     4.4 +<?xml version="1.0" encoding="UTF-8"?>
     4.5 +<!-- Auto-generated by ezPolicy        -->
     4.6 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
     4.7 +    <PolicyHeader>
     4.8 +        <PolicyName>xm-test-update</PolicyName>
     4.9 +        <Date>Fri Sep 29 14:44:38 2006</Date>
    4.10 +        <Version>1.1</Version>
    4.11 +        <FromPolicy>
    4.12 +            <PolicyName>xm-test</PolicyName>
    4.13 +            <Version>1.0</Version>
    4.14 +        </FromPolicy>
    4.15 +    </PolicyHeader>
    4.16 +
    4.17 +    <SimpleTypeEnforcement>
    4.18 +        <SimpleTypeEnforcementTypes>
    4.19 +            <Type>SystemManagement</Type>
    4.20 +            <Type>GREEN</Type>
    4.21 +            <Type>red</Type>
    4.22 +            <Type>__UNLABELED__</Type>
    4.23 +        </SimpleTypeEnforcementTypes>
    4.24 +    </SimpleTypeEnforcement>
    4.25 +
    4.26 +    <ChineseWall priority="PrimaryPolicyComponent">
    4.27 +        <ChineseWallTypes>
    4.28 +            <Type>SystemManagement</Type>
    4.29 +            <Type>GREEN</Type>
    4.30 +            <Type>red</Type>
    4.31 +            <Type>__UNLABELED__</Type>
    4.32 +        </ChineseWallTypes>
    4.33 +
    4.34 +        <ConflictSets>
    4.35 +            <Conflict name="RER">
    4.36 +                <Type>GREEN</Type>
    4.37 +                <Type>red</Type>
    4.38 +            </Conflict>
    4.39 +       </ConflictSets>
    4.40 +    </ChineseWall>
    4.41 +
    4.42 +    <SecurityLabelTemplate>
    4.43 +        <SubjectLabels bootstrap="SystemManagement">
    4.44 +            <VirtualMachineLabel>
    4.45 +                <Name>SystemManagement</Name>
    4.46 +                <SimpleTypeEnforcementTypes>
    4.47 +                    <Type>SystemManagement</Type>
    4.48 +                    <Type>GREEN</Type>
    4.49 +                    <Type>red</Type>
    4.50 +                    <Type>__UNLABELED__</Type>
    4.51 +                </SimpleTypeEnforcementTypes>
    4.52 +                <ChineseWallTypes>
    4.53 +                    <Type>SystemManagement</Type>
    4.54 +                </ChineseWallTypes>
    4.55 +            </VirtualMachineLabel>
    4.56 +
    4.57 +            <VirtualMachineLabel>
    4.58 +                <Name from="green">GREEN</Name>
    4.59 +                <SimpleTypeEnforcementTypes>
    4.60 +                    <Type>GREEN</Type>
    4.61 +                </SimpleTypeEnforcementTypes>
    4.62 +                <ChineseWallTypes>
    4.63 +                    <Type>GREEN</Type>
    4.64 +                </ChineseWallTypes>
    4.65 +            </VirtualMachineLabel>
    4.66 +
    4.67 +            <VirtualMachineLabel>
    4.68 +                <Name>red</Name>
    4.69 +                <SimpleTypeEnforcementTypes>
    4.70 +                    <Type>red</Type>
    4.71 +                </SimpleTypeEnforcementTypes>
    4.72 +                <ChineseWallTypes>
    4.73 +                    <Type>red</Type>
    4.74 +                </ChineseWallTypes>
    4.75 +            </VirtualMachineLabel>
    4.76 +
    4.77 +            <VirtualMachineLabel>
    4.78 +                <Name>__UNLABELED__</Name>
    4.79 +                <SimpleTypeEnforcementTypes>
    4.80 +                    <Type>__UNLABELED__</Type>
    4.81 +                </SimpleTypeEnforcementTypes>
    4.82 +                <ChineseWallTypes>
    4.83 +                    <Type>__UNLABELED__</Type>
    4.84 +                </ChineseWallTypes>
    4.85 +            </VirtualMachineLabel>
    4.86 +
    4.87 +        </SubjectLabels>
    4.88 +
    4.89 +        <ObjectLabels>
    4.90 +            <ResourceLabel>
    4.91 +                <Name>SystemManagement</Name>
    4.92 +                <SimpleTypeEnforcementTypes>
    4.93 +                    <Type>SystemManagement</Type>
    4.94 +                </SimpleTypeEnforcementTypes>
    4.95 +            </ResourceLabel>
    4.96 +
    4.97 +            <ResourceLabel>
    4.98 +                <Name from="green">GREEN</Name>
    4.99 +                <SimpleTypeEnforcementTypes>
   4.100 +                    <Type>GREEN</Type>
   4.101 +                </SimpleTypeEnforcementTypes>
   4.102 +            </ResourceLabel>
   4.103 +
   4.104 +            <ResourceLabel>
   4.105 +                <Name from="red">RED</Name>
   4.106 +                <SimpleTypeEnforcementTypes>
   4.107 +                    <Type>red</Type>
   4.108 +                </SimpleTypeEnforcementTypes>
   4.109 +            </ResourceLabel>
   4.110 +
   4.111 +            <ResourceLabel>
   4.112 +                <Name>__UNLABELED__</Name>
   4.113 +                <SimpleTypeEnforcementTypes>
   4.114 +                    <Type>__UNLABELED__</Type>
   4.115 +                </SimpleTypeEnforcementTypes>
   4.116 +            </ResourceLabel>
   4.117 +
   4.118 +        </ObjectLabels>
   4.119 +    </SecurityLabelTemplate>
   4.120 +</SecurityPolicyDefinition>