ia64/xen-unstable

changeset 9838:6da766b23d14

Add new xml files for policy.

Signed-off by: Reiner Sailer <sailer@us.ibm.com>
author smh22@firebug.cl.cam.ac.uk
date Mon Apr 24 11:01:41 2006 +0100 (2006-04-24)
parents c7b9b8a64755
children ea6c5cf58588
files tools/security/policies/example/chwall/client_v1-security_policy.xml tools/security/policies/example/chwall_ste/client_v1-security_policy.xml tools/security/policies/example/ste/client_v1-security_policy.xml
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/tools/security/policies/example/chwall/client_v1-security_policy.xml	Mon Apr 24 11:01:41 2006 +0100
     1.3 @@ -0,0 +1,90 @@
     1.4 +<?xml version="1.0" encoding="UTF-8"?>
     1.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
     1.6 +<!--             This file defines the security policies, which     -->
     1.7 +<!--             can be enforced by the Xen Access Control Module.  -->
     1.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
     1.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
    1.10 +	<PolicyHeader>
    1.11 +		<PolicyName>example.chwall.client_v1</PolicyName>
    1.12 +		<PolicyUrl>www.ibm.com/example/chwall/client_v1</PolicyUrl>
    1.13 +		<Date>2006-03-31</Date>
    1.14 +	</PolicyHeader>
    1.15 +	<!--                                             -->
    1.16 +	<!-- example of a chinese wall type definition   -->
    1.17 +	<!-- along with its conflict sets                -->
    1.18 +	<!-- (typse in a confict set are exclusive, i.e. -->
    1.19 +	<!--  once a Domain with one type of a set is    -->
    1.20 +	<!--  running, no other Domain with another type -->
    1.21 +	<!--  of the same conflict set can start.)       -->
    1.22 +	<ChineseWall priority="PrimaryPolicyComponent">
    1.23 +		<ChineseWallTypes>
    1.24 +			<Type>cw_SystemManagement</Type>
    1.25 +			<Type>cw_Sensitive</Type>
    1.26 +			<Type>cw_Isolated</Type>
    1.27 +			<Type>cw_Distrusted</Type>
    1.28 +		</ChineseWallTypes>
    1.29 +		<ConflictSets>
    1.30 +			<Conflict name="Protection1">
    1.31 +				<Type>cw_Sensitive</Type>
    1.32 +				<Type>cw_Distrusted</Type>
    1.33 +			</Conflict>
    1.34 +		</ConflictSets>
    1.35 +	</ChineseWall>
    1.36 +	<SecurityLabelTemplate>
    1.37 +		<SubjectLabels bootstrap="dom_SystemManagement">
    1.38 +			<!-- single ste typed domains            -->
    1.39 +			<!-- ACM enforces that only domains with -->
    1.40 +			<!-- the same type can share information -->
    1.41 +			<!--                                     -->
    1.42 +			<!-- Bootstrap label is assigned to Dom0 -->
    1.43 +			<VirtualMachineLabel>
    1.44 +				<Name>dom_HomeBanking</Name>
    1.45 +				<ChineseWallTypes>
    1.46 +					<Type>cw_Sensitive</Type>
    1.47 +				</ChineseWallTypes>
    1.48 +			</VirtualMachineLabel>
    1.49 +
    1.50 +			<VirtualMachineLabel>
    1.51 +				<Name>dom_Fun</Name>
    1.52 +				<ChineseWallTypes>
    1.53 +					<Type>cw_Distrusted</Type>
    1.54 +				</ChineseWallTypes>
    1.55 +			</VirtualMachineLabel>
    1.56 +
    1.57 +			<VirtualMachineLabel>
    1.58 +				<!-- donating some cycles to seti@home -->
    1.59 +				<Name>dom_BoincClient</Name>
    1.60 +				<ChineseWallTypes>
    1.61 +					<Type>cw_Isolated</Type>
    1.62 +				</ChineseWallTypes>
    1.63 +			</VirtualMachineLabel>
    1.64 +
    1.65 +			<!-- Domains with multiple ste types services; such domains   -->
    1.66 +			<!-- must keep the types inside their domain safely confined. -->
    1.67 +			<VirtualMachineLabel>
    1.68 +				<Name>dom_SystemManagement</Name>
    1.69 +				<ChineseWallTypes>
    1.70 +					<Type>cw_SystemManagement</Type>
    1.71 +				</ChineseWallTypes>
    1.72 +			</VirtualMachineLabel>
    1.73 +
    1.74 +			<VirtualMachineLabel>
    1.75 +				<!-- serves persistent storage to other domains -->
    1.76 +				<Name>dom_StorageDomain</Name>
    1.77 +				<ChineseWallTypes>
    1.78 +					<Type>cw_SystemManagement</Type>
    1.79 +				</ChineseWallTypes>
    1.80 +			</VirtualMachineLabel>
    1.81 +
    1.82 +			<VirtualMachineLabel>
    1.83 +				<!-- serves network access to other domains -->
    1.84 +				<Name>dom_NetworkDomain</Name>
    1.85 +				<ChineseWallTypes>
    1.86 +					<Type>cw_SystemManagement</Type>
    1.87 +				</ChineseWallTypes>
    1.88 +			</VirtualMachineLabel>
    1.89 +		</SubjectLabels>
    1.90 +	</SecurityLabelTemplate>
    1.91 +
    1.92 +</SecurityPolicyDefinition>
    1.93 +
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/tools/security/policies/example/chwall_ste/client_v1-security_policy.xml	Mon Apr 24 11:01:41 2006 +0100
     2.3 @@ -0,0 +1,194 @@
     2.4 +<?xml version="1.0" encoding="UTF-8"?>
     2.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
     2.6 +<!--             This file defines the security policies, which     -->
     2.7 +<!--             can be enforced by the Xen Access Control Module.  -->
     2.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
     2.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
    2.10 +	<PolicyHeader>
    2.11 +		<PolicyName>example.chwall_ste.client_v1</PolicyName>
    2.12 +		<PolicyUrl>www.ibm.com/example/chwall_ste/client_v1</PolicyUrl>
    2.13 +		<Date>2006-03-31</Date>
    2.14 +	</PolicyHeader>
    2.15 +	<!--                                                        -->
    2.16 +	<!-- example of a simple type enforcement policy definition -->
    2.17 +	<!--                                                        -->
    2.18 +	<SimpleTypeEnforcement>
    2.19 +		<SimpleTypeEnforcementTypes>
    2.20 +			<Type>ste_SystemManagement</Type><!-- machine/security management -->
    2.21 +			<Type>ste_PersonalFinances</Type><!-- personal finances -->
    2.22 +			<Type>ste_InternetInsecure</Type><!-- games, active X, etc. -->
    2.23 +			<Type>ste_DonatedCycles</Type><!-- donation to BOINC/seti@home -->
    2.24 +			<Type>ste_PersistentStorageA</Type><!-- domain managing the harddrive A-->
    2.25 +			<Type>ste_NetworkAdapter0</Type><!-- type of the domain managing ethernet adapter 0-->
    2.26 +		</SimpleTypeEnforcementTypes>
    2.27 +	</SimpleTypeEnforcement>
    2.28 +	<!--                                             -->
    2.29 +	<!-- example of a chinese wall type definition   -->
    2.30 +	<!-- along with its conflict sets                -->
    2.31 +	<!-- (typse in a confict set are exclusive, i.e. -->
    2.32 +	<!--  once a Domain with one type of a set is    -->
    2.33 +	<!--  running, no other Domain with another type -->
    2.34 +	<!--  of the same conflict set can start.)       -->
    2.35 +	<ChineseWall priority="PrimaryPolicyComponent">
    2.36 +		<ChineseWallTypes>
    2.37 +			<Type>cw_SystemManagement</Type>
    2.38 +			<Type>cw_Sensitive</Type>
    2.39 +			<Type>cw_Isolated</Type>
    2.40 +			<Type>cw_Distrusted</Type>
    2.41 +		</ChineseWallTypes>
    2.42 +
    2.43 +		<ConflictSets>
    2.44 +			<Conflict name="Protection1">
    2.45 +				<Type>cw_Sensitive</Type>
    2.46 +				<Type>cw_Distrusted</Type>
    2.47 +			</Conflict>
    2.48 +		</ConflictSets>
    2.49 +	</ChineseWall>
    2.50 +	<SecurityLabelTemplate>
    2.51 +		<SubjectLabels bootstrap="dom_SystemManagement">
    2.52 +			<!-- single ste typed domains            -->
    2.53 +			<!-- ACM enforces that only domains with -->
    2.54 +			<!-- the same type can share information -->
    2.55 +			<!--                                     -->
    2.56 +			<!-- Bootstrap label is assigned to Dom0 -->
    2.57 +			<VirtualMachineLabel>
    2.58 +				<Name>dom_HomeBanking</Name>
    2.59 +				<SimpleTypeEnforcementTypes>
    2.60 +					<Type>ste_PersonalFinances</Type>
    2.61 +				</SimpleTypeEnforcementTypes>
    2.62 +
    2.63 +				<ChineseWallTypes>
    2.64 +					<Type>cw_Sensitive</Type>
    2.65 +				</ChineseWallTypes>
    2.66 +			</VirtualMachineLabel>
    2.67 +
    2.68 +			<VirtualMachineLabel>
    2.69 +				<Name>dom_Fun</Name>
    2.70 +				<SimpleTypeEnforcementTypes>
    2.71 +					<Type>ste_InternetInsecure</Type>
    2.72 +				</SimpleTypeEnforcementTypes>
    2.73 +
    2.74 +				<ChineseWallTypes>
    2.75 +					<Type>cw_Distrusted</Type>
    2.76 +				</ChineseWallTypes>
    2.77 +			</VirtualMachineLabel>
    2.78 +
    2.79 +			<VirtualMachineLabel>
    2.80 +				<!-- donating some cycles to seti@home -->
    2.81 +				<Name>dom_BoincClient</Name>
    2.82 +				<SimpleTypeEnforcementTypes>
    2.83 +					<Type>ste_DonatedCycles</Type>
    2.84 +				</SimpleTypeEnforcementTypes>
    2.85 +
    2.86 +				<ChineseWallTypes>
    2.87 +					<Type>cw_Isolated</Type>
    2.88 +				</ChineseWallTypes>
    2.89 +			</VirtualMachineLabel>
    2.90 +
    2.91 +			<!-- Domains with multiple ste types services; such domains   -->
    2.92 +			<!-- must keep the types inside their domain safely confined. -->
    2.93 +			<VirtualMachineLabel>
    2.94 +				<Name>dom_SystemManagement</Name>
    2.95 +				<SimpleTypeEnforcementTypes>
    2.96 +					<!-- since dom0 needs access to every domain and -->
    2.97 +					<!-- resource right now ... -->
    2.98 +					<Type>ste_SystemManagement</Type>
    2.99 +					<Type>ste_PersonalFinances</Type>
   2.100 +					<Type>ste_InternetInsecure</Type>
   2.101 +					<Type>ste_DonatedCycles</Type>
   2.102 +					<Type>ste_PersistentStorageA</Type>
   2.103 +					<Type>ste_NetworkAdapter0</Type>
   2.104 +				</SimpleTypeEnforcementTypes>
   2.105 +
   2.106 +				<ChineseWallTypes>
   2.107 +					<Type>cw_SystemManagement</Type>
   2.108 +				</ChineseWallTypes>
   2.109 +			</VirtualMachineLabel>
   2.110 +
   2.111 +			<VirtualMachineLabel>
   2.112 +				<!-- serves persistent storage to other domains -->
   2.113 +				<Name>dom_StorageDomain</Name>
   2.114 +				<SimpleTypeEnforcementTypes>
   2.115 +					<!-- access right to the resource (hard drive a) -->
   2.116 +					<Type>ste_PersistentStorageA</Type>
   2.117 +					<!-- can serve following types -->
   2.118 +					<Type>ste_PersonalFinances</Type>
   2.119 +					<Type>ste_InternetInsecure</Type>
   2.120 +				</SimpleTypeEnforcementTypes>
   2.121 +
   2.122 +				<ChineseWallTypes>
   2.123 +					<Type>cw_SystemManagement</Type>
   2.124 +				</ChineseWallTypes>
   2.125 +			</VirtualMachineLabel>
   2.126 +
   2.127 +			<VirtualMachineLabel>
   2.128 +				<!-- serves network access to other domains -->
   2.129 +				<Name>dom_NetworkDomain</Name>
   2.130 +				<SimpleTypeEnforcementTypes>
   2.131 +					<!-- access right to the resource (ethernet card) -->
   2.132 +					<Type>ste_NetworkAdapter0</Type>
   2.133 +					<!-- can serve following types -->
   2.134 +					<Type>ste_PersonalFinances</Type>
   2.135 +					<Type>ste_InternetInsecure</Type>
   2.136 +					<Type>ste_DonatedCycles</Type>
   2.137 +				</SimpleTypeEnforcementTypes>
   2.138 +
   2.139 +				<ChineseWallTypes>
   2.140 +					<Type>cw_SystemManagement</Type>
   2.141 +				</ChineseWallTypes>
   2.142 +			</VirtualMachineLabel>
   2.143 +		</SubjectLabels>
   2.144 +
   2.145 +		<ObjectLabels>
   2.146 +			<ResourceLabel>
   2.147 +				<Name>res_ManagementResource</Name>
   2.148 +				<SimpleTypeEnforcementTypes>
   2.149 +					<Type>ste_SystemManagement</Type>
   2.150 +				</SimpleTypeEnforcementTypes>
   2.151 +			</ResourceLabel>
   2.152 +
   2.153 +			<ResourceLabel>
   2.154 +				<Name>res_HardDrive(hda)</Name>
   2.155 +				<SimpleTypeEnforcementTypes>
   2.156 +					<Type>ste_PersistentStorageA</Type>
   2.157 +				</SimpleTypeEnforcementTypes>
   2.158 +			</ResourceLabel>
   2.159 +
   2.160 +			<ResourceLabel>
   2.161 +				<Name>res_LogicalDiskPartition1(hda1)</Name>
   2.162 +				<SimpleTypeEnforcementTypes>
   2.163 +					<Type>ste_PersonalFinances</Type>
   2.164 +				</SimpleTypeEnforcementTypes>
   2.165 +			</ResourceLabel>
   2.166 +
   2.167 +			<ResourceLabel>
   2.168 +				<Name>res_LogicalDiskPartition2(hda2)</Name>
   2.169 +				<SimpleTypeEnforcementTypes>
   2.170 +					<Type>ste_InternetInsecure</Type>
   2.171 +				</SimpleTypeEnforcementTypes>
   2.172 +			</ResourceLabel>
   2.173 +
   2.174 +			<ResourceLabel>
   2.175 +				<Name>res_EthernetCard</Name>
   2.176 +				<SimpleTypeEnforcementTypes>
   2.177 +					<Type>ste_NetworkAdapter0</Type>
   2.178 +				</SimpleTypeEnforcementTypes>
   2.179 +			</ResourceLabel>
   2.180 +
   2.181 +			<ResourceLabel>
   2.182 +				<Name>res_SecurityToken</Name>
   2.183 +				<SimpleTypeEnforcementTypes>
   2.184 +					<Type>ste_PersonalFinances</Type>
   2.185 +				</SimpleTypeEnforcementTypes>
   2.186 +			</ResourceLabel>
   2.187 +
   2.188 +			<ResourceLabel>
   2.189 +				<Name>res_GraphicsAdapter</Name>
   2.190 +				<SimpleTypeEnforcementTypes>
   2.191 +					<Type>ste_SystemManagement</Type>
   2.192 +				</SimpleTypeEnforcementTypes>
   2.193 +			</ResourceLabel>
   2.194 +		</ObjectLabels>
   2.195 +	</SecurityLabelTemplate>
   2.196 +</SecurityPolicyDefinition>
   2.197 +
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/tools/security/policies/example/ste/client_v1-security_policy.xml	Mon Apr 24 11:01:41 2006 +0100
     3.3 @@ -0,0 +1,149 @@
     3.4 +<?xml version="1.0" encoding="UTF-8"?>
     3.5 +<!-- Author: Reiner Sailer, Ray Valdez {sailer,rvaldez}@us.ibm.com  -->
     3.6 +<!--             This file defines the security policies, which     -->
     3.7 +<!--             can be enforced by the Xen Access Control Module.  -->
     3.8 +<!--             Currently: Chinese Wall and Simple Type Enforcement-->
     3.9 +<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
    3.10 +	<PolicyHeader>
    3.11 +		<PolicyName>example.ste.client_v1</PolicyName>
    3.12 +		<PolicyUrl>www.ibm.com/example/ste/client_v1</PolicyUrl>
    3.13 +		<Date>2006-03-31</Date>
    3.14 +	</PolicyHeader>
    3.15 +	<!--                                                        -->
    3.16 +	<!-- example of a simple type enforcement policy definition -->
    3.17 +	<!--                                                        -->
    3.18 +	<SimpleTypeEnforcement>
    3.19 +		<SimpleTypeEnforcementTypes>
    3.20 +			<Type>ste_SystemManagement</Type><!-- machine/security management -->
    3.21 +			<Type>ste_PersonalFinances</Type><!-- personal finances -->
    3.22 +			<Type>ste_InternetInsecure</Type><!-- games, active X, etc. -->
    3.23 +			<Type>ste_DonatedCycles</Type><!-- donation to BOINC/seti@home -->
    3.24 +			<Type>ste_PersistentStorageA</Type><!-- domain managing the harddrive A-->
    3.25 +			<Type>ste_NetworkAdapter0</Type><!-- type of the domain managing ethernet adapter 0-->
    3.26 +		</SimpleTypeEnforcementTypes>
    3.27 +	</SimpleTypeEnforcement>
    3.28 +	<SecurityLabelTemplate>
    3.29 +		<SubjectLabels bootstrap="dom_SystemManagement">
    3.30 +			<!-- single ste typed domains            -->
    3.31 +			<!-- ACM enforces that only domains with -->
    3.32 +			<!-- the same type can share information -->
    3.33 +			<!--                                     -->
    3.34 +			<!-- Bootstrap label is assigned to Dom0 -->
    3.35 +			<VirtualMachineLabel>
    3.36 +				<Name>dom_HomeBanking</Name>
    3.37 +				<SimpleTypeEnforcementTypes>
    3.38 +					<Type>ste_PersonalFinances</Type>
    3.39 +				</SimpleTypeEnforcementTypes>
    3.40 +			</VirtualMachineLabel>
    3.41 +
    3.42 +			<VirtualMachineLabel>
    3.43 +				<Name>dom_Fun</Name>
    3.44 +				<SimpleTypeEnforcementTypes>
    3.45 +					<Type>ste_InternetInsecure</Type>
    3.46 +				</SimpleTypeEnforcementTypes>
    3.47 +			</VirtualMachineLabel>
    3.48 +
    3.49 +			<VirtualMachineLabel>
    3.50 +				<!-- donating some cycles to seti@home -->
    3.51 +				<Name>dom_BoincClient</Name>
    3.52 +				<SimpleTypeEnforcementTypes>
    3.53 +					<Type>ste_DonatedCycles</Type>
    3.54 +				</SimpleTypeEnforcementTypes>
    3.55 +			</VirtualMachineLabel>
    3.56 +
    3.57 +			<!-- Domains with multiple ste types services; such domains   -->
    3.58 +			<!-- must keep the types inside their domain safely confined. -->
    3.59 +			<VirtualMachineLabel>
    3.60 +				<Name>dom_SystemManagement</Name>
    3.61 +				<SimpleTypeEnforcementTypes>
    3.62 +					<!-- since dom0 needs access to every domain and -->
    3.63 +					<!-- resource right now ... -->
    3.64 +					<Type>ste_SystemManagement</Type>
    3.65 +					<Type>ste_PersonalFinances</Type>
    3.66 +					<Type>ste_InternetInsecure</Type>
    3.67 +					<Type>ste_DonatedCycles</Type>
    3.68 +					<Type>ste_PersistentStorageA</Type>
    3.69 +					<Type>ste_NetworkAdapter0</Type>
    3.70 +				</SimpleTypeEnforcementTypes>
    3.71 +			</VirtualMachineLabel>
    3.72 +
    3.73 +			<VirtualMachineLabel>
    3.74 +				<!-- serves persistent storage to other domains -->
    3.75 +				<Name>dom_StorageDomain</Name>
    3.76 +				<SimpleTypeEnforcementTypes>
    3.77 +					<!-- access right to the resource (hard drive a) -->
    3.78 +					<Type>ste_PersistentStorageA</Type>
    3.79 +					<!-- can serve following types -->
    3.80 +					<Type>ste_PersonalFinances</Type>
    3.81 +					<Type>ste_InternetInsecure</Type>
    3.82 +				</SimpleTypeEnforcementTypes>
    3.83 +			</VirtualMachineLabel>
    3.84 +
    3.85 +			<VirtualMachineLabel>
    3.86 +				<!-- serves network access to other domains -->
    3.87 +				<Name>dom_NetworkDomain</Name>
    3.88 +				<SimpleTypeEnforcementTypes>
    3.89 +					<!-- access right to the resource (ethernet card) -->
    3.90 +					<Type>ste_NetworkAdapter0</Type>
    3.91 +					<!-- can serve following types -->
    3.92 +					<Type>ste_PersonalFinances</Type>
    3.93 +					<Type>ste_InternetInsecure</Type>
    3.94 +					<Type>ste_DonatedCycles</Type>
    3.95 +				</SimpleTypeEnforcementTypes>
    3.96 +			</VirtualMachineLabel>
    3.97 +		</SubjectLabels>
    3.98 +
    3.99 +		<ObjectLabels>
   3.100 +			<ResourceLabel>
   3.101 +				<Name>res_ManagementResource</Name>
   3.102 +				<SimpleTypeEnforcementTypes>
   3.103 +					<Type>ste_SystemManagement</Type>
   3.104 +				</SimpleTypeEnforcementTypes>
   3.105 +			</ResourceLabel>
   3.106 +
   3.107 +			<ResourceLabel>
   3.108 +				<Name>res_HardDrive(hda)</Name>
   3.109 +				<SimpleTypeEnforcementTypes>
   3.110 +					<Type>ste_PersistentStorageA</Type>
   3.111 +				</SimpleTypeEnforcementTypes>
   3.112 +			</ResourceLabel>
   3.113 +
   3.114 +			<ResourceLabel>
   3.115 +				<Name>res_LogicalDiskPartition1(hda1)</Name>
   3.116 +				<SimpleTypeEnforcementTypes>
   3.117 +					<Type>ste_PersonalFinances</Type>
   3.118 +				</SimpleTypeEnforcementTypes>
   3.119 +			</ResourceLabel>
   3.120 +
   3.121 +			<ResourceLabel>
   3.122 +				<Name>res_LogicalDiskPartition2(hda2)</Name>
   3.123 +				<SimpleTypeEnforcementTypes>
   3.124 +					<Type>ste_InternetInsecure</Type>
   3.125 +				</SimpleTypeEnforcementTypes>
   3.126 +			</ResourceLabel>
   3.127 +
   3.128 +			<ResourceLabel>
   3.129 +				<Name>res_EthernetCard</Name>
   3.130 +				<SimpleTypeEnforcementTypes>
   3.131 +					<Type>ste_NetworkAdapter0</Type>
   3.132 +				</SimpleTypeEnforcementTypes>
   3.133 +			</ResourceLabel>
   3.134 +
   3.135 +			<ResourceLabel>
   3.136 +				<Name>res_SecurityToken</Name>
   3.137 +				<SimpleTypeEnforcementTypes>
   3.138 +					<Type>ste_PersonalFinances</Type>
   3.139 +				</SimpleTypeEnforcementTypes>
   3.140 +			</ResourceLabel>
   3.141 +
   3.142 +			<ResourceLabel>
   3.143 +				<Name>res_GraphicsAdapter</Name>
   3.144 +				<SimpleTypeEnforcementTypes>
   3.145 +					<Type>ste_SystemManagement</Type>
   3.146 +				</SimpleTypeEnforcementTypes>
   3.147 +			</ResourceLabel>
   3.148 +		</ObjectLabels>
   3.149 +	</SecurityLabelTemplate>
   3.150 +
   3.151 +</SecurityPolicyDefinition>
   3.152 +