ia64/xen-unstable

changeset 16522:54482c56e435

Implement legacy XML-RPC interface for ACM commands.

This patch moves the directory of files where xend is writing policies
and resource labels into to /var/lib/xend/security/policies.

Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Dec 05 09:45:13 2007 +0000 (2007-12-05)
parents 5255eac35270
children 9cc381efbc29
files tools/python/xen/util/acmpolicy.py tools/python/xen/util/xsm/acm/acm.py tools/python/xen/xend/XendOptions.py tools/python/xen/xend/XendXSPolicyAdmin.py tools/python/xen/xm/setpolicy.py tools/security/Makefile tools/security/policies/DEFAULT-UL-security_policy.xml tools/security/policies/default-security_policy.xml tools/security/policies/default-ul-security_policy.xml
line diff
     1.1 --- a/tools/python/xen/util/acmpolicy.py	Wed Dec 05 09:44:20 2007 +0000
     1.2 +++ b/tools/python/xen/util/acmpolicy.py	Wed Dec 05 09:45:13 2007 +0000
     1.3 @@ -1,4 +1,4 @@
     1.4 - #============================================================================
     1.5 +#============================================================================
     1.6  # This library is free software; you can redistribute it and/or
     1.7  # modify it under the terms of version 2.1 of the GNU Lesser General Public
     1.8  # License as published by the Free Software Foundation.
     1.9 @@ -17,10 +17,11 @@
    1.10  #============================================================================
    1.11  
    1.12  import os
    1.13 -import commands
    1.14 -import struct
    1.15  import stat
    1.16  import array
    1.17 +import struct
    1.18 +import shutil
    1.19 +import commands
    1.20  from xml.dom import minidom, Node
    1.21  from xen.xend.XendLogging import log
    1.22  from xen.util import xsconstants, bootloader, mkdir
    1.23 @@ -28,6 +29,7 @@ from xen.util.xspolicy import XSPolicy
    1.24  from xen.xend.XendError import SecurityError
    1.25  import xen.util.xsm.acm.acm as security
    1.26  from xen.util.xsm.xsm import XSMError
    1.27 +from xen.xend import XendOptions
    1.28  
    1.29  ACM_POLICIES_DIR = security.policy_dir_prefix + "/"
    1.30  
    1.31 @@ -64,6 +66,73 @@ ACM_CHWALL_CONFLICT          = 0x103
    1.32  ACM_SSIDREF_IN_USE           = 0x104
    1.33  
    1.34  
    1.35 +DEFAULT_policy = \
    1.36 +"<?xml version=\"1.0\" ?>\n" +\
    1.37 +"<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd\">\n" +\
    1.38 +"  <PolicyHeader>\n" +\
    1.39 +"    <PolicyName>DEFAULT</PolicyName>\n" +\
    1.40 +"    <Version>1.0</Version>\n" +\
    1.41 +"  </PolicyHeader>\n" +\
    1.42 +"  <SimpleTypeEnforcement>\n" +\
    1.43 +"    <SimpleTypeEnforcementTypes>\n" +\
    1.44 +"      <Type>SystemManagement</Type>\n" +\
    1.45 +"    </SimpleTypeEnforcementTypes>\n" +\
    1.46 +"  </SimpleTypeEnforcement>\n" +\
    1.47 +"  <ChineseWall>\n" +\
    1.48 +"    <ChineseWallTypes>\n" +\
    1.49 +"      <Type>SystemManagement</Type>\n" +\
    1.50 +"    </ChineseWallTypes>\n" +\
    1.51 +"  </ChineseWall>\n" +\
    1.52 +"  <SecurityLabelTemplate>\n" +\
    1.53 +"    <SubjectLabels bootstrap=\"SystemManagement\">\n" +\
    1.54 +"      <VirtualMachineLabel>\n" +\
    1.55 +"        <Name>SystemManagement</Name>\n" +\
    1.56 +"        <SimpleTypeEnforcementTypes>\n" +\
    1.57 +"          <Type>SystemManagement</Type>\n" +\
    1.58 +"        </SimpleTypeEnforcementTypes>\n" +\
    1.59 +"        <ChineseWallTypes>\n" +\
    1.60 +"          <Type/>\n" +\
    1.61 +"        </ChineseWallTypes>\n" +\
    1.62 +"      </VirtualMachineLabel>\n" +\
    1.63 +"    </SubjectLabels>\n" +\
    1.64 +"  </SecurityLabelTemplate>\n" +\
    1.65 +"</SecurityPolicyDefinition>\n"
    1.66 +
    1.67 +
    1.68 +def get_DEFAULT_policy():
    1.69 +    return DEFAULT_policy
    1.70 +
    1.71 +def initialize():
    1.72 +    xoptions = XendOptions.instance()
    1.73 +    basedir = xoptions.get_xend_security_path()
    1.74 +    policiesdir = basedir + "/policies"
    1.75 +    mkdir.parents(policiesdir, stat.S_IRWXU)
    1.76 +
    1.77 +    instdir = security.install_policy_dir_prefix
    1.78 +    DEF_policy_file = "DEFAULT-security_policy.xml"
    1.79 +    xsd_file = "security_policy.xsd"
    1.80 +
    1.81 +    files = [ xsd_file ]
    1.82 +
    1.83 +    for file in files:
    1.84 +        if not os.path.isfile(policiesdir + "/" + file ):
    1.85 +            try:
    1.86 +                shutil.copyfile(instdir + "/" + file,
    1.87 +                                policiesdir + "/" + file)
    1.88 +            except Exception, e:
    1.89 +                log.info("could not copy '%s': %s" %
    1.90 +                         (file, str(e)))
    1.91 +    #Install default policy.
    1.92 +    f = open(policiesdir + "/" + DEF_policy_file, 'w')
    1.93 +    if f:
    1.94 +        f.write(get_DEFAULT_policy())
    1.95 +        f.close()
    1.96 +    else:
    1.97 +        log.error("Could not write the default policy's file.")
    1.98 +    defpol = ACMPolicy(xml=get_DEFAULT_policy())
    1.99 +    defpol.compile()
   1.100 +
   1.101 +
   1.102  class ACMPolicy(XSPolicy):
   1.103      """
   1.104       ACMPolicy class. Implements methods for getting information from
   1.105 @@ -92,7 +161,6 @@ class ACMPolicy(XSPolicy):
   1.106          rc = self.validate()
   1.107          if rc != xsconstants.XSERR_SUCCESS:
   1.108              raise SecurityError(rc)
   1.109 -        mkdir.parents(ACM_POLICIES_DIR, stat.S_IRWXU)
   1.110          if ref:
   1.111              from xen.xend.XendXSPolicy import XendACMPolicy
   1.112              self.xendacmpolicy = XendACMPolicy(self, {}, ref)
   1.113 @@ -341,8 +409,13 @@ class ACMPolicy(XSPolicy):
   1.114                  minor = int(tmp[1])
   1.115          return (major, minor)
   1.116  
   1.117 +    def get_policies_path(self):
   1.118 +        xoptions = XendOptions.instance()
   1.119 +        basedir = xoptions.get_xend_security_path()
   1.120 +        return basedir + "/policies/"
   1.121  
   1.122 -    def policy_path(self, name, prefix = ACM_POLICIES_DIR ):
   1.123 +    def policy_path(self, name):
   1.124 +        prefix = self.get_policies_path()
   1.125          path = prefix + name.replace('.','/')
   1.126          _path = path.split("/")
   1.127          del _path[-1]
   1.128 @@ -394,12 +467,14 @@ class ACMPolicy(XSPolicy):
   1.129      #
   1.130      # Utility functions related to the policy's files
   1.131      #
   1.132 -    def get_filename(self, postfix, prefix = ACM_POLICIES_DIR, dotted=False):
   1.133 +    def get_filename(self, postfix, prefix=None, dotted=False):
   1.134          """
   1.135             Create the filename for the policy. The prefix is prepended
   1.136             to the path. If dotted is True, then a policy name like
   1.137             'a.b.c' will remain as is, otherwise it will become 'a/b/c'
   1.138          """
   1.139 +        if prefix == None:
   1.140 +            prefix = self.get_policies_path()
   1.141          name = self.get_name()
   1.142          if name:
   1.143              p = name.split(".")
   1.144 @@ -432,6 +507,17 @@ class ACMPolicy(XSPolicy):
   1.145      def get_bin(self):
   1.146          return self.__readfile(".bin")
   1.147  
   1.148 +    def copy_policy_file(self, suffix, destdir):
   1.149 +        spolfile = self.get_filename(suffix)
   1.150 +        dpolfile = destdir + "/" + self.get_filename(suffix,"",dotted=True)
   1.151 +        try:
   1.152 +            shutil.copyfile(spolfile, dpolfile)
   1.153 +        except Exception, e:
   1.154 +            log.error("Could not copy policy file %s to %s: %s" %
   1.155 +                      (spolfile, dpolfile, str(e)))
   1.156 +            return -xsconstants.XSERR_FILE_ERROR
   1.157 +        return xsconstants.XSERR_SUCCESS
   1.158 +
   1.159      #
   1.160      # DOM-related functions
   1.161      #
   1.162 @@ -831,9 +917,14 @@ class ACMPolicy(XSPolicy):
   1.163              if path:
   1.164                  f = open(path, 'w')
   1.165                  if f:
   1.166 -                    f.write(self.toxml())
   1.167 -                    f.close()
   1.168 -                    rc = 0
   1.169 +                    try:
   1.170 +                        try:
   1.171 +                            f.write(self.toxml())
   1.172 +                            rc = 0
   1.173 +                        except:
   1.174 +                            pass
   1.175 +                    finally:
   1.176 +                        f.close()
   1.177          return rc
   1.178  
   1.179      def __write_to_file(self, suffix, data):
     2.1 --- a/tools/python/xen/util/xsm/acm/acm.py	Wed Dec 05 09:44:20 2007 +0000
     2.2 +++ b/tools/python/xen/util/xsm/acm/acm.py	Wed Dec 05 09:45:13 2007 +0000
     2.3 @@ -35,7 +35,8 @@ from xen.util import dictio, xsconstants
     2.4  from xen.xend.XendConstants import *
     2.5  
     2.6  #global directories and tools for security management
     2.7 -security_dir_prefix = "/etc/xen/acm-security"
     2.8 +install_policy_dir_prefix = "/etc/xen/acm-security/policies"
     2.9 +security_dir_prefix = XendOptions.instance().get_xend_security_path()
    2.10  policy_dir_prefix = security_dir_prefix + "/policies"
    2.11  res_label_filename = policy_dir_prefix + "/resource_labels"
    2.12  boot_filename = "/boot/grub/menu.lst"
    2.13 @@ -323,7 +324,7 @@ def label2ssidref(labelname, policyname,
    2.14      maps current policy to default directory
    2.15      to find mapping file    """
    2.16  
    2.17 -    if policyname in ['NULL', 'INACTIVE', 'DEFAULT', 'INACCESSIBLE' ]:
    2.18 +    if policyname in ['NULL', 'INACTIVE', 'INACCESSIBLE' ]:
    2.19          err("Cannot translate labels for \'" + policyname + "\' policy.")
    2.20  
    2.21      allowed_types = ['ANY']
    2.22 @@ -447,10 +448,8 @@ def get_ssid(domain):
    2.23      except:
    2.24          err("Cannot determine security information.")
    2.25  
    2.26 -    if active_policy in ["DEFAULT"]:
    2.27 -        label = "DEFAULT"
    2.28 -    else:
    2.29 -        label = ssidref2label(ssid_info["ssidref"])
    2.30 +    label = ssidref2label(ssid_info["ssidref"])
    2.31 +
    2.32      return(ssid_info["policyreference"],
    2.33             label,
    2.34             ssid_info["policytype"],
     3.1 --- a/tools/python/xen/xend/XendOptions.py	Wed Dec 05 09:44:20 2007 +0000
     3.2 +++ b/tools/python/xen/xend/XendOptions.py	Wed Dec 05 09:45:13 2007 +0000
     3.3 @@ -120,6 +120,9 @@ class XendOptions:
     3.4      """Default xend QCoW storage repository location."""
     3.5      xend_storage_path_default = '/var/lib/xend/storage'
     3.6  
     3.7 +    """Default xend security state storage path."""
     3.8 +    xend_security_path_default = '/var/lib/xend/security'
     3.9 +
    3.10      """Default script to configure a backend network interface"""
    3.11      vif_script = osdep.vif_script
    3.12  
    3.13 @@ -245,6 +248,11 @@ class XendOptions:
    3.14          """
    3.15          return self.get_config_string("xend-storage-path", self.xend_storage_path_default)        
    3.16  
    3.17 +    def get_xend_security_path(self):
    3.18 +        """ Get the path for security state
    3.19 +        """
    3.20 +        return self.get_config_string("xend-security-path", self.xend_security_path_default)
    3.21 +
    3.22      def get_network_script(self):
    3.23          """@return the script used to alter the network configuration when
    3.24          Xend starts and stops, or None if no such script is specified."""
     4.1 --- a/tools/python/xen/xend/XendXSPolicyAdmin.py	Wed Dec 05 09:44:20 2007 +0000
     4.2 +++ b/tools/python/xen/xend/XendXSPolicyAdmin.py	Wed Dec 05 09:45:13 2007 +0000
     4.3 @@ -22,10 +22,10 @@ from xml.dom import minidom, Node
     4.4  
     4.5  from xen.xend.XendLogging import log
     4.6  from xen.xend import uuid
     4.7 -from xen.util import xsconstants, dictio, bootloader
     4.8 +from xen.util import xsconstants, bootloader
     4.9  import xen.util.xsm.acm.acm as security
    4.10  from xen.util.xspolicy import XSPolicy
    4.11 -from xen.util.acmpolicy import ACMPolicy
    4.12 +from xen.util.acmpolicy import ACMPolicy, initialize
    4.13  from xen.xend.XendError import SecurityError
    4.14  
    4.15  
    4.16 @@ -48,6 +48,7 @@ class XSPolicyAdmin:
    4.17          self.xsobjs = {}
    4.18  
    4.19          act_pol_name = self.get_hv_loaded_policy_name()
    4.20 +        initialize()
    4.21  
    4.22          ref = uuid.createString()
    4.23          try:
    4.24 @@ -59,6 +60,7 @@ class XSPolicyAdmin:
    4.25  
    4.26          log.debug("XSPolicyAdmin: Known policies: %s" % self.policies)
    4.27  
    4.28 +
    4.29      def isXSEnabled(self):
    4.30          """ Check whether 'security' is enabled on this system.
    4.31              This currently only checks for ACM-enablement.
    4.32 @@ -99,12 +101,23 @@ class XSPolicyAdmin:
    4.33              # This is meant as an update to a currently loaded policy
    4.34              if flags & xsconstants.XS_INST_LOAD == 0:
    4.35                  raise SecurityError(-xsconstants.XSERR_POLICY_LOADED)
    4.36 -            if flags & xsconstants.XS_INST_BOOT == 0:
    4.37 -                self.rm_bootpolicy()
    4.38 +
    4.39 +            # Remember old flags, so they can be restored if update fails
    4.40 +            old_flags = self.get_policy_flags(loadedpol)
    4.41 +
    4.42 +            # Remove policy from bootloader in case of new name of policy
    4.43 +            self.rm_bootpolicy()
    4.44 +
    4.45              rc, errors = loadedpol.update(xmltext)
    4.46              if rc == 0:
    4.47                  irc = self.activate_xspolicy(loadedpol, flags)
    4.48                  # policy is loaded; if setting the boot flag fails it's ok.
    4.49 +            else:
    4.50 +                old_flags = old_flags & xsconstants.XS_INST_BOOT
    4.51 +                log.info("OLD FLAGS TO RESTORE: %s" % str(old_flags))
    4.52 +                if old_flags != 0:
    4.53 +                    self.activate_xspolicy(loadedpol, xsconstants.XS_INST_BOOT)
    4.54 +
    4.55              return (loadedpol, rc, errors)
    4.56  
    4.57          try:
    4.58 @@ -161,15 +174,11 @@ class XSPolicyAdmin:
    4.59          return (acmpol, xsconstants.XSERR_SUCCESS, errors)
    4.60  
    4.61      def make_boot_policy(self, acmpol):
    4.62 -        spolfile = acmpol.get_filename(".bin")
    4.63 -        dpolfile = "/boot/" + acmpol.get_filename(".bin","",dotted=True)
    4.64 -        if not os.path.isfile(spolfile):
    4.65 -            log.error("binary policy file does not exist.")
    4.66 -            return -xsconstants.XSERR_FILE_ERROR
    4.67 -        try:
    4.68 -            shutil.copyfile(spolfile, dpolfile)
    4.69 -        except:
    4.70 -            return -xsconstants.XSERR_FILE_ERROR
    4.71 +        if acmpol.is_default_policy():
    4.72 +            return xsconstants.XSERR_SUCCESS
    4.73 +        rc = acmpol.copy_policy_file(".bin","/boot")
    4.74 +        if rc != xsconstants.XSERR_SUCCESS:
    4.75 +            return rc
    4.76  
    4.77          try:
    4.78              filename = acmpol.get_filename(".bin","",dotted=True)
    4.79 @@ -231,7 +240,8 @@ class XSPolicyAdmin:
    4.80          flags = 0
    4.81  
    4.82          filename = acmpol.get_filename(".bin","", dotted=True)
    4.83 -        if bootloader.loads_default_policy(filename):
    4.84 +        if bootloader.loads_default_policy(filename) or \
    4.85 +           acmpol.is_default_policy():
    4.86              flags |= xsconstants.XS_INST_BOOT
    4.87  
    4.88          if acmpol.isloaded():
     5.1 --- a/tools/python/xen/xm/setpolicy.py	Wed Dec 05 09:44:20 2007 +0000
     5.2 +++ b/tools/python/xen/xm/setpolicy.py	Wed Dec 05 09:45:13 2007 +0000
     5.3 @@ -25,6 +25,7 @@ import base64
     5.4  import struct
     5.5  import xen.util.xsm.xsm as security
     5.6  from xen.util import xsconstants
     5.7 +from xen.util.xsm.acm.acm import install_policy_dir_prefix
     5.8  from xen.util.acmpolicy import ACMPolicy, \
     5.9     ACM_EVTCHN_SHARING_VIOLATION,\
    5.10     ACM_GNTTAB_SHARING_VIOLATION, \
    5.11 @@ -32,7 +33,6 @@ from xen.util.acmpolicy import ACMPolicy
    5.12     ACM_CHWALL_CONFLICT, \
    5.13     ACM_SSIDREF_IN_USE
    5.14  from xen.xm.opts import OptionError
    5.15 -from xen.util.xsm.acm.acm import policy_dir_prefix
    5.16  from xen.xm import main as xm_main
    5.17  from xen.xm.getpolicy import getpolicy
    5.18  from xen.xm.main import server
    5.19 @@ -86,7 +86,7 @@ def setpolicy(policytype, policy_name, f
    5.20      if policytype.upper() == xsconstants.ACM_POLICY_ID:
    5.21          xs_type = xsconstants.XS_POLICY_ACM
    5.22  
    5.23 -        for prefix in [ './', policy_dir_prefix+"/" ]:
    5.24 +        for prefix in [ './', install_policy_dir_prefix+"/" ]:
    5.25              policy_file = prefix + "/".join(policy_name.split(".")) + \
    5.26                            "-security_policy.xml"
    5.27  
    5.28 @@ -99,9 +99,12 @@ def setpolicy(policytype, policy_name, f
    5.29              f.close()
    5.30          except:
    5.31              raise OptionError("Could not read policy file from current"
    5.32 -                              " directory or '%s'." % policy_dir_prefix)
    5.33 +                              " directory or '%s'." %
    5.34 +                              install_policy_dir_prefix)
    5.35  
    5.36          if xm_main.serverType == xm_main.SERVER_XEN_API:
    5.37 +            if xs_type != int(server.xenapi.XSPolicy.get_xstype()):
    5.38 +                raise security.XSMError("ACM policy type not supported.")
    5.39  
    5.40              try:
    5.41                  policystate = server.xenapi.XSPolicy.set_xspolicy(xs_type,
    5.42 @@ -124,6 +127,8 @@ def setpolicy(policytype, policy_name, f
    5.43                  getpolicy(False)
    5.44          else:
    5.45              # Non-Xen-API call.
    5.46 +            if xs_type != server.xend.security.get_xstype():
    5.47 +                raise security.XSMError("ACM policy type not supported.")
    5.48  
    5.49              rc, errors = server.xend.security.set_policy(xs_type,
    5.50                                                           xml,
     6.1 --- a/tools/security/Makefile	Wed Dec 05 09:44:20 2007 +0000
     6.2 +++ b/tools/security/Makefile	Wed Dec 05 09:45:13 2007 +0000
     6.3 @@ -32,7 +32,7 @@ ACM_SECGEN_CGIDIR = $(ACM_SECGEN_HTMLDIR
     6.4  
     6.5  ACM_SCHEMA        = security_policy.xsd
     6.6  ACM_EXAMPLES      = client_v1 test
     6.7 -ACM_DEF_POLICIES  = default default-ul
     6.8 +ACM_DEF_POLICIES  = DEFAULT-UL
     6.9  ACM_POLICY_SUFFIX = security_policy.xml
    6.10  
    6.11  ifeq ($(ACM_SECURITY),y)
     7.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     7.2 +++ b/tools/security/policies/DEFAULT-UL-security_policy.xml	Wed Dec 05 09:45:13 2007 +0000
     7.3 @@ -0,0 +1,41 @@
     7.4 +<?xml version="1.0" ?>
     7.5 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
     7.6 +  <PolicyHeader>
     7.7 +    <PolicyName>DEFAULT-UL</PolicyName>
     7.8 +    <Version>1.0</Version>
     7.9 +  </PolicyHeader>
    7.10 +  <SimpleTypeEnforcement>
    7.11 +    <SimpleTypeEnforcementTypes>
    7.12 +      <Type>SystemManagement</Type>
    7.13 +      <Type>__UNLABELED__</Type>
    7.14 +    </SimpleTypeEnforcementTypes>
    7.15 +  </SimpleTypeEnforcement>
    7.16 +  <ChineseWall>
    7.17 +    <ChineseWallTypes>
    7.18 +      <Type>SystemManagement</Type>
    7.19 +    </ChineseWallTypes>
    7.20 +  </ChineseWall>
    7.21 +  <SecurityLabelTemplate>
    7.22 +    <SubjectLabels bootstrap="SystemManagement">
    7.23 +      <VirtualMachineLabel>
    7.24 +        <Name>SystemManagement</Name>
    7.25 +        <SimpleTypeEnforcementTypes>
    7.26 +          <Type>SystemManagement</Type>
    7.27 +          <Type>__UNLABELED__</Type>
    7.28 +        </SimpleTypeEnforcementTypes>
    7.29 +        <ChineseWallTypes>
    7.30 +          <Type/>
    7.31 +        </ChineseWallTypes>
    7.32 +      </VirtualMachineLabel>
    7.33 +      <VirtualMachineLabel>
    7.34 +        <Name>__UNLABELED__</Name>
    7.35 +        <SimpleTypeEnforcementTypes>
    7.36 +          <Type>__UNLABELED__</Type>
    7.37 +        </SimpleTypeEnforcementTypes>
    7.38 +        <ChineseWallTypes>
    7.39 +          <Type/>
    7.40 +        </ChineseWallTypes>
    7.41 +      </VirtualMachineLabel>
    7.42 +    </SubjectLabels>
    7.43 +  </SecurityLabelTemplate>
    7.44 +</SecurityPolicyDefinition>
     8.1 --- a/tools/security/policies/default-security_policy.xml	Wed Dec 05 09:44:20 2007 +0000
     8.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     8.3 @@ -1,30 +0,0 @@
     8.4 -<?xml version="1.0" ?>
     8.5 -<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
     8.6 -  <PolicyHeader>
     8.7 -    <PolicyName>DEFAULT</PolicyName>
     8.8 -    <Version>1.0</Version>
     8.9 -  </PolicyHeader>
    8.10 -  <SimpleTypeEnforcement>
    8.11 -    <SimpleTypeEnforcementTypes>
    8.12 -      <Type>SystemManagement</Type>
    8.13 -    </SimpleTypeEnforcementTypes>
    8.14 -  </SimpleTypeEnforcement>
    8.15 -  <ChineseWall>
    8.16 -    <ChineseWallTypes>
    8.17 -      <Type>SystemManagement</Type>
    8.18 -    </ChineseWallTypes>
    8.19 -  </ChineseWall>
    8.20 -  <SecurityLabelTemplate>
    8.21 -    <SubjectLabels bootstrap="SystemManagement">
    8.22 -      <VirtualMachineLabel>
    8.23 -        <Name>SystemManagement</Name>
    8.24 -        <SimpleTypeEnforcementTypes>
    8.25 -          <Type>SystemManagement</Type>
    8.26 -        </SimpleTypeEnforcementTypes>
    8.27 -        <ChineseWallTypes>
    8.28 -          <Type/>
    8.29 -        </ChineseWallTypes>
    8.30 -      </VirtualMachineLabel>
    8.31 -    </SubjectLabels>
    8.32 -  </SecurityLabelTemplate>
    8.33 -</SecurityPolicyDefinition>
     9.1 --- a/tools/security/policies/default-ul-security_policy.xml	Wed Dec 05 09:44:20 2007 +0000
     9.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     9.3 @@ -1,41 +0,0 @@
     9.4 -<?xml version="1.0" ?>
     9.5 -<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd">
     9.6 -  <PolicyHeader>
     9.7 -    <PolicyName>DEFAULT-UL</PolicyName>
     9.8 -    <Version>1.0</Version>
     9.9 -  </PolicyHeader>
    9.10 -  <SimpleTypeEnforcement>
    9.11 -    <SimpleTypeEnforcementTypes>
    9.12 -      <Type>SystemManagement</Type>
    9.13 -      <Type>__UNLABELED__</Type>
    9.14 -    </SimpleTypeEnforcementTypes>
    9.15 -  </SimpleTypeEnforcement>
    9.16 -  <ChineseWall>
    9.17 -    <ChineseWallTypes>
    9.18 -      <Type>SystemManagement</Type>
    9.19 -    </ChineseWallTypes>
    9.20 -  </ChineseWall>
    9.21 -  <SecurityLabelTemplate>
    9.22 -    <SubjectLabels bootstrap="SystemManagement">
    9.23 -      <VirtualMachineLabel>
    9.24 -        <Name>SystemManagement</Name>
    9.25 -        <SimpleTypeEnforcementTypes>
    9.26 -          <Type>SystemManagement</Type>
    9.27 -          <Type>__UNLABELED__</Type>
    9.28 -        </SimpleTypeEnforcementTypes>
    9.29 -        <ChineseWallTypes>
    9.30 -          <Type/>
    9.31 -        </ChineseWallTypes>
    9.32 -      </VirtualMachineLabel>
    9.33 -      <VirtualMachineLabel>
    9.34 -        <Name>__UNLABELED__</Name>
    9.35 -        <SimpleTypeEnforcementTypes>
    9.36 -          <Type>__UNLABELED__</Type>
    9.37 -        </SimpleTypeEnforcementTypes>
    9.38 -        <ChineseWallTypes>
    9.39 -          <Type/>
    9.40 -        </ChineseWallTypes>
    9.41 -      </VirtualMachineLabel>
    9.42 -    </SubjectLabels>
    9.43 -  </SecurityLabelTemplate>
    9.44 -</SecurityPolicyDefinition>