Remove unmaintained Access Control Module (ACM) from hypervisor.

Signed-off-by: Keir Fraser <keir@xen.org>

25 files changed, 0 insertions, 2438 deletions

diff --git a/tools/xm-test/README b/tools/xm-test/README
index 405532c7fb..88c00836ed 100644
--- a/tools/xm-test/README
+++ b/tools/xm-test/README
@@ -137,38 +137,6 @@ Xm-test will look for disk.img in the ramdisk directory when run by
 default.
 
 
-BUILDING for ACM Security Testing
-=================================
-
-A number of tests have been added to test the access control module (ACM)
-in the Xen hypervisor and the tools for supporting ACM. Those tests are
-located in the security-acm directory. If ACM support is compiled into Xen
-(see the user guide for how to do this) those tests can be run with the
-following command from the xm-test directory
-
-./runtest.sh [...] -g security <report>
-
-Some of these tests will work even without support of ACM by Xen.
-
-The xm test suite has been extended to support labeling of resources
-as required by the existing tests. However, by default the test suite
-is not allowed to automatically label resources since this may affect
-existing labels. To enable this, the test suite must be configured with
-the following parameter passed to the configure scripts (in addition to
-any other desired parameters)
-
-./configure --enable-full-labeling
-
-To revoke the privilege at a later time run the configure scripts without
-this parameter:
-
-./configure
-
-If a 'make' has previously been run for building the test suite, it is not
-necessary to run 'make' again just for enabling or disabling the automatic
-labeling of resources.
-
-
 Running
 =======
 
diff --git a/tools/xm-test/configure.ac b/tools/xm-test/configure.ac
index 40d93c41d7..ad1eb78391 100644
--- a/tools/xm-test/configure.ac
+++ b/tools/xm-test/configure.ac
@@ -41,20 +41,6 @@ fi
 AM_CONDITIONAL(HVM, test x$ENABLE_HVM = xTrue)
 AC_SUBST(ENABLE_HVM)
 
-AC_ARG_ENABLE(full-labeling,
-	[[  --enable-full-labeling         allows the test suite to label all resources]],
-	[
-		ENABLE_LABELING=True
-	],[
-		ENABLE_LABELING=False
-	])
-
-if test "x$ENABLE_LABELING" = "xTrue"; then
-	echo "ACM_LABEL_RESOURCES = True" > lib/XmTestLib/acm_config.py
-else
-	rm -f lib/XmTestLib/acm_config.py*
-fi
-
 # Network needs to know ips to use: dhcp or a range of IPs in the form
 # of: 192.0.2.1-192.0.2.100
 # If not dhcp, a netmask and network address must be supplied. Defaults to
@@ -151,7 +137,6 @@ AC_CONFIG_FILES([
     tests/restore/Makefile
     tests/save/Makefile
     tests/sched-credit/Makefile
-    tests/security-acm/Makefile
     tests/sedf/Makefile
     tests/shutdown/Makefile
     tests/sysrq/Makefile
diff --git a/tools/xm-test/grouptest/default b/tools/xm-test/grouptest/default
index 1db6a73398..f0516b2949 100644
--- a/tools/xm-test/grouptest/default
+++ b/tools/xm-test/grouptest/default
@@ -22,7 +22,6 @@ reboot
 restore
 save
 sched-credit
-security-acm
 shutdown
 sysrq
 unpause
diff --git a/tools/xm-test/grouptest/security b/tools/xm-test/grouptest/security
deleted file mode 100644
index 4d5c8b941d..0000000000
--- a/tools/xm-test/grouptest/security
+++ /dev/null
@@ -1 +0,0 @@
-security-acm
diff --git a/tools/xm-test/lib/XmTestLib/XenAPIDomain.py b/tools/xm-test/lib/XmTestLib/XenAPIDomain.py
index 3c5310f061..1ca2307c27 100644
--- a/tools/xm-test/lib/XmTestLib/XenAPIDomain.py
+++ b/tools/xm-test/lib/XmTestLib/XenAPIDomain.py
@@ -23,7 +23,6 @@ import os
 import sys
 from XmTestLib import *
 from types import DictType
-from acm import *
 
 
 class XenAPIConfig:
@@ -40,9 +39,6 @@ class XenAPIConfig:
                            'ramdisk': 'PV_ramdisk',
                            'root'   : 'PV_args',
                            'extra'  : 'PV_args' }
-        if isACMEnabled():
-            #A default so every VM can start with ACM enabled
-            self.opts["security_label"] = "ACM:xm-test:red"
 
     def setOpt(self, name, value):
         """Set an option in the config"""
diff --git a/tools/xm-test/lib/XmTestLib/XenDomain.py b/tools/xm-test/lib/XmTestLib/XenDomain.py
index f15b6a00a7..ae8c550c48 100644
--- a/tools/xm-test/lib/XmTestLib/XenDomain.py
+++ b/tools/xm-test/lib/XmTestLib/XenDomain.py
@@ -30,7 +30,6 @@ from config import *
 from Console import *
 from XenDevice import *
 from DomainTracking import *
-from acm import *
 
 
 DOM0_UUID = "00000000-0000-0000-0000-000000000000"
@@ -61,9 +60,6 @@ class XenConfig:
         self.defaultOpts["disk"] = []
         self.defaultOpts["vif"]  = []
         self.defaultOpts["vtpm"] = []
-        if isACMEnabled():
-            #A default so every VM can start with ACM enabled
-            self.defaultOpts["access_control"] = ['policy=xm-test,label=red']
 
         self.opts = self.defaultOpts
 
@@ -91,7 +87,6 @@ class XenConfig:
         output = file(filename, "w")
         output.write(self.toString())
         output.close()
-        ACMPrepareSystem(self.opts)
 
     def __str__(self):
         """When used as a string, we represent ourself by a config
diff --git a/tools/xm-test/lib/XmTestLib/acm.py b/tools/xm-test/lib/XmTestLib/acm.py
deleted file mode 100644
index f8a62f4991..0000000000
--- a/tools/xm-test/lib/XmTestLib/acm.py
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/usr/bin/python
-"""
- Copyright (C) International Business Machines Corp., 2006
- Author: Stefan Berger <stefanb@us.ibm.com>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; under version 2 of the License.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-"""
-from Test import *
-import xen.util.xsm.xsm as security
-from xen.xm.main import server
-from xen.util import xsconstants
-import re
-
-try:
-    from acm_config import *
-except:
-    ACM_LABEL_RESOURCES = False
-
-labeled_resources = {}
-acm_verbose = False
-policy='xm-test'
-
-
-def isACMEnabled():
-    return security.on()
-
-def setCurrentPolicy(plcy):
-    global policy
-    policy = plcy
-
-def ACMSetPolicy():
-    cmd='xm dumppolicy | grep -E "^POLICY REFERENCE = ' + policy + '.$"'
-    s, o = traceCommand(cmd)
-    if o != "":
-        return
-    s, o = traceCommand("xm setpolicy ACM %s" % (policy))
-    if s != 0:
-        FAIL("Could not load the required policy '%s'.\n"
-             "Start the system without any policy.\n%s" % \
-             (policy, o))
-
-def ACMPrepareSystem(resources):
-    if isACMEnabled():
-        ACMSetPolicy()
-        ACMLabelResources(resources)
-
-def ACMLabelResources(resources):
-    for k, v in resources.items():
-        if k == "disk":
-            for vv in v:
-                res = vv.split(',')[0]
-                ACMLabelResource(res)
-
-# Applications may label resources explicitly by calling this function
-def ACMLabelResource(resource, label='red'):
-    if not isACMEnabled():
-        return
-    if acm_verbose:
-        print "labeling resource %s with label %s" % (resource, label)
-    if not ACM_LABEL_RESOURCES:
-        SKIP("Skipping test since not allowed to label resources in "
-             "test suite")
-    if not isACMResourceLabeled(resource):
-        ACMUnlabelResource(resource)
-        s, o = traceCommand("xm addlabel %s res %s" % (label, resource))
-        if s != 0:
-            FAIL("Could not add label to resource")
-        else:
-            labeled_resources["%s" % resource] = 1
-
-
-# Application may remove a label from a resource. It has to call this
-# function and must do so once a resource for re-labeling a resource
-def ACMUnlabelResource(resource):
-    s, o = traceCommand("xm rmlabel res %s" % (resource))
-    labeled_resources["%s" % resource] = 0
-
-
-def isACMResourceLabeled(resource):
-    """ Check whether a resource has been labeled using this API
-        and while running the application """
-    try:
-        if labeled_resources["%s" % resource] == 1:
-            if acm_verbose:
-                print "resource %s already labeled!" % resource
-            return True
-    except:
-        return False
-    return False
diff --git a/tools/xm-test/lib/XmTestLib/block_utils.py b/tools/xm-test/lib/XmTestLib/block_utils.py
index 58124c832a..c302efeb15 100644
--- a/tools/xm-test/lib/XmTestLib/block_utils.py
+++ b/tools/xm-test/lib/XmTestLib/block_utils.py
@@ -6,7 +6,6 @@
 import time
 
 from XmTestLib import *
-from acm import *
 
 import xen.util.blkif
 
@@ -27,7 +26,6 @@ def get_state(domain, devname):
 
 
 def block_attach(domain, phy, virt):
-    ACMLabelResource(phy)
     status, output = traceCommand("xm block-attach %s %s %s w" %
                                   (domain.getName(), phy, virt))
     if status != 0:
diff --git a/tools/xm-test/runtest.sh b/tools/xm-test/runtest.sh
index aee67dfa06..73d1a5c69d 100755
--- a/tools/xm-test/runtest.sh
+++ b/tools/xm-test/runtest.sh
@@ -221,12 +221,6 @@ run=yes
 unsafe=no
 GROUPENTERED=default
 
-#Prepare for usage with ACM
-if [ -d /etc/xen/acm-security/policies ]; then
-	cp -f tests/security-acm/xm-test-security_policy.xml \
-	      /etc/xen/acm-security/policies
-fi
-
 unset XM_MANAGED_DOMAINS
 
 # Resolve options
diff --git a/tools/xm-test/tests/Makefile.am b/tools/xm-test/tests/Makefile.am
index d5b64ef6cb..8d673ed525 100644
--- a/tools/xm-test/tests/Makefile.am
+++ b/tools/xm-test/tests/Makefile.am
@@ -19,7 +19,6 @@ SUBDIRS = 	               	\
 		pause		\
 		reboot 		\
 		sched-credit	\
-		security-acm    \
 		sedf		\
 		shutdown	\
 		sysrq		\
diff --git a/tools/xm-test/tests/security-acm/01_security-acm_basic.py b/tools/xm-test/tests/security-acm/01_security-acm_basic.py
deleted file mode 100644
index 7876c51d1b..0000000000
--- a/tools/xm-test/tests/security-acm/01_security-acm_basic.py
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-#
-# A couple of simple tests that test ACM security extensions
-# for the xm tool. The following xm subcommands are tested:
-#
-# - labels
-# - rmlabel
-# - addlabel
-# - getlabel
-# - resources
-
-from XmTestLib import *
-import xen.util.xsm.xsm as security
-from xen.util import xsconstants
-import commands
-import os
-import re
-
-testpolicy = "xm-test"
-testlabel = "blue"
-vmconfigfile = "/tmp/xm-test.conf"
-testresource = "phy:ram0"
-
-if not isACMEnabled():
-    SKIP("Not running this test since ACM not enabled.")
-
-status, output = traceCommand("xm labels %s" % (testpolicy))
-if status != 0:
-    FAIL("'xm labels' failed with status %d.\n" % status)
-
-#Need to get a vm config file - just have it written to a file
-domain = XmTestDomain()
-domain.config.write(vmconfigfile)
-
-#Whatever label it might have - remove it
-status, output = traceCommand("xm rmlabel dom %s" %
-                              (vmconfigfile))
-
-status, output = traceCommand("xm addlabel %s dom %s %s" %
-                              (testlabel, vmconfigfile, testpolicy))
-if status != 0:
-    FAIL("(1) 'xm addlabel' failed with status %d.\n" % status)
-
-status, output = traceCommand("xm getlabel dom %s" %
-                              (vmconfigfile))
-
-if status != 0:
-    FAIL("'xm getlabel' failed with status %d, output:\n%s" %
-         (status, output))
-if output != "policytype=%s,policy=%s,label=%s" % \
-             (xsconstants.ACM_POLICY_ID, testpolicy, testlabel):
-    FAIL("(1) Received unexpected output from 'xm getlabel dom': \n%s" %
-         (output))
-
-
-status, output = traceCommand("xm rmlabel dom %s" %
-                              (vmconfigfile))
-
-if status != 0:
-    FAIL("'xm rmlabel' failed with status %d, output: \n%s" %
-         (status,output))
-if output != "":
-    FAIL("Received unexpected output from 'xm rmlabel': \n%s" %
-         (output))
-
-status, output = traceCommand("xm getlabel dom %s" %
-                              (vmconfigfile))
-
-if output != "Error: 'Domain not labeled'":
-    FAIL("(2) Received unexpected output from 'xm getlabel dom': \n%s" %
-         (output))
-
-#Whatever label the resource might have, remove it
-status, output = traceCommand("xm rmlabel res %s" %
-                              (testresource))
-if status != 0:
-    FAIL("'xm rmlabel' on resource failed with status %d.\n" % status)
-
-status, output = traceCommand("xm addlabel %s res %s %s" %
-                              (testlabel, testresource, testpolicy))
-if status != 0:
-    FAIL("(2) 'xm addlabel' on resource failed with status %d.\n" % status)
-
-status, output = traceCommand("xm getlabel res %s" % (testresource))
-
-if status != 0:
-    FAIL("'xm getlabel' on resource failed with status %d, output:\n%s" %
-         (status, output))
-if output != "%s:%s:%s" % (xsconstants.ACM_POLICY_ID,\
-                           testpolicy,testlabel):
-    FAIL("Received unexpected output from 'xm getlabel res': \n%s" %
-         (output))
-
-status, output = traceCommand("xm resources")
-
-if status != 0:
-    print "status = %s" % str(status)
-    FAIL("'xm resources' did not run properly")
-if not re.search(security.unify_resname(testresource), output):
-    FAIL("'xm resources' did not show the tested resource '%s'." %
-         testresource)
-
-status, output = traceCommand("xm rmlabel res %s" %
-                              (testresource))
-
-if status != 0:
-    FAIL("'xm rmlabel' on resource failed with status %d, output: \n%s" %
-         (status,output))
-if output != "":
-    FAIL("Received unexpected output from 'xm rmlabel': \n%s" %
-         (output))
-
-status, output = traceCommand("xm getlabel res %s" %
-                              (testresource))
-
-if output != "Error: 'Resource not labeled'":
-    FAIL("Received unexpected output from 'xm getlabel res': \n%s" %
-         (output))
diff --git a/tools/xm-test/tests/security-acm/02_security-acm_dom_start.py b/tools/xm-test/tests/security-acm/02_security-acm_dom_start.py
deleted file mode 100644
index 4aac09d2fc..0000000000
--- a/tools/xm-test/tests/security-acm/02_security-acm_dom_start.py
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-#
-# Simple test that starts two labeled domains; both domains should start
-#
-# The following xm subcommands are tested:
-# - dumppolicy
-# - labels
-
-from XmTestLib import *
-from acm_utils import *
-import commands
-import os
-
-testlabel1 = "green"
-testlabel2 = "red"
-
-status, output = traceCommand("xm labels")
-
-labels = ["SystemManagement", "blue", "red", "green"]
-for l in labels:
-    if not re.search(l, output):
-        FAIL("Label '%s' not found in current policy!", l)
-
-status, output = traceCommand("xm dumppolicy")
-if status != 0:
-    FAIL("'xm dumppolicy' returned an error code.")
-lines = ["ssidref 0:  00 00 00 00",
-         "ssidref 1:  01 00 00 00",
-         "ssidref 2:  00 01 00 00",
-         "ssidref 3:  00 00 01 00",
-         "ssidref 4:  00 00 00 01"]
-for l in lines:
-    if not re.search(l, output):
-        FAIL("Could not find '%s' in output of 'xm dumppolicy'" % l)
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
-verbose = True
-domain1 = XmTestDomain(name="domain-%s" % testlabel1,
-                       extraConfig=config)
-
-try:
-    domain1.start(noConsole=True)
-except DomainError, e:
-    if verbose:
-        print e.extra
-    FAIL("Unable to start 1st labeled test domain.")
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel2)}
-
-domain2 = XmTestDomain(name="domain-%s" % testlabel2,
-                       extraConfig=config)
-
-try:
-    domain2.start(noConsole=True)
-except DomainError, e:
-    if verbose:
-        print e.extra
-    FAIL("Unable to start 2nd labeled test domain.")
-
-domain2.destroy()
-domain1.destroy()
diff --git a/tools/xm-test/tests/security-acm/03_security-acm_dom_conflict.py b/tools/xm-test/tests/security-acm/03_security-acm_dom_conflict.py
deleted file mode 100644
index 4aef380de5..0000000000
--- a/tools/xm-test/tests/security-acm/03_security-acm_dom_conflict.py
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-#
-# A test that exercises the conflict set of the chinese wall policy.
-# Start a first domain and then a second one. The second one is
-# expected NOT to be starteable.
-
-from XmTestLib import *
-from acm_utils import *
-import commands
-import os
-
-testlabel1 = "blue"
-testlabel2 = "red"
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
-
-domain1 = XmTestDomain(name="domain-%s" % testlabel1,
-                       extraConfig=config)
-
-try:
-    domain1.start(noConsole=True)
-except DomainError, e:
-    if verbose:
-        print e.extra
-    FAIL("Unable to start 1st labeled test domain")
-
-# Verify with xm dry-run
-status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
-                              "grep -v \"Dry Run\"")
-if status != 0:
-    FAIL("'xm dry-run' failed")
-if not re.search("PERMITTED", output):
-    FAIL("'xm dry-run' did not succeed.")
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel2)}
-
-domain2 = XmTestDomain(name="domain-%s" % testlabel2,
-                       extraConfig=config)
-
-try:
-    domain2.start(noConsole=True)
-    # Should never get here!
-    FAIL("Could start a domain in a conflict set - "
-         "this should not be possible")
-except DomainError, e:
-    #This is exactly what we want in this case
-    status = 0
-
-# Verify with xm dry-run
-status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
-                              "grep -v \"Dry Run\"")
-if status != 0:
-    FAIL("'xm dry-run' failed.")
-if not re.search("PERMITTED", output):
-    FAIL("'xm dry-run' did not show that operation was permitted.")
-
-domain1.destroy()
diff --git a/tools/xm-test/tests/security-acm/04_security-acm_dom_res.py b/tools/xm-test/tests/security-acm/04_security-acm_dom_res.py
deleted file mode 100644
index 367016339f..0000000000
--- a/tools/xm-test/tests/security-acm/04_security-acm_dom_res.py
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-#
-# Simple test that starts two labeled domains using labeled resources each
-#
-
-from XmTestLib import *
-from acm_utils import *
-import commands
-import os
-
-testlabel1 = "green"
-resource1  = "phy:ram0"
-testlabel2 = "red"
-resource2  = "phy:/dev/ram1"
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1),
-          "disk"          :"%s,hda1,w" % (resource1)}
-domain1 = XmTestDomain(name="domain-%s" % testlabel1,
-                       extraConfig=config)
-
-# Explicity label the resource
-ACMLabelResource(resource1, testlabel1)
-
-try:
-    domain1.start(noConsole=True)
-except DomainError, e:
-    if verbose:
-        print e.extra
-    FAIL("Unable to start 1st labeled test domain.")
-
-# Verify with xm dry-run
-status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
-                              "grep -v \"Dry Run\"")
-
-if status != 0:
-    FAIL("'xm dry-run' failed")
-if not re.search("%s: PERMITTED" % resource1, output):
-    FAIL("'xm dry-run' did not succeed.")
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel2),
-          "disk"          :"%s,hda1,w" % (resource2)}
-
-domain2 = XmTestDomain(name="domain-%s" % testlabel2,
-                       extraConfig=config)
-
-# Explicity label the resource
-ACMLabelResource(resource2, testlabel2)
-
-try:
-    domain2.start(noConsole=True)
-except DomainError, e:
-    if verbose:
-        print e.extra
-    FAIL("Unable to start 2nd labeled test domain.")
-
-# Verify with xm dry-run
-status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
-                              "grep -v \"Dry Run\"")
-
-if status != 0:
-    FAIL("'xm dry-run' failed")
-if not re.search("%s: PERMITTED" % resource2, output):
-    FAIL("'xm dry-run' did not succeed.")
-
-domain2.destroy()
-domain1.destroy()
diff --git a/tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py b/tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py
deleted file mode 100644
index 89c6b5974c..0000000000
--- a/tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-#
-# A test that tries to start a domain using a resource that it is
-# not supposed to be able to use due to its labeling
-
-from XmTestLib import *
-from acm_utils import *
-import commands
-import os
-
-testlabel1 = "blue"
-resource1  = "phy:ram0"
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1),
-          "disk"          :"%s,hda1,w" % (resource1)}
-
-domain1 = XmTestDomain(name="domain-%s" % testlabel1,
-                       extraConfig=config)
-
-ACMLabelResource(resource1,"red")
-
-try:
-    domain1.start(noConsole=True)
-    # Should never get here
-    FAIL("Could start domain with resource that it is not supposed to access.")
-except DomainError, e:
-    #That's exactly what we want to have in this case
-    dummy = 0
-
-# Verify via dry-run
-status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
-                              "grep -v \"Dry Run\"")
-if not re.search("%s: DENIED" %resource1, output):
-    FAIL("'xm dry-run' did not show expected result that operation was NOT "
-         "permitted: \n%s" % output)
diff --git a/tools/xm-test/tests/security-acm/06_security-acm_dom_block_attach.py b/tools/xm-test/tests/security-acm/06_security-acm_dom_block_attach.py
deleted file mode 100644
index 92b09e9e01..0000000000
--- a/tools/xm-test/tests/security-acm/06_security-acm_dom_block_attach.py
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2005
-# Author: Stefan Berger <stefanb@us.ibm.com>
-# Based on block-create/01_block_attach_device_pos.py
-#
-# Create a domain and attach 2 resources to it. The first resource
-# should be attacheable, the 2nd one should not be due to the label it has.
-
-import re
-from XmTestLib import *
-from XmTestLib import block_utils
-from acm_utils import *
-
-testlabel1 = "blue"
-resource1 = "phy:ram1"
-resourcelabel1 = "blue"
-resource2 = "phy:/dev/ram0"
-resourcelabel2 = "red"
-
-if ENABLE_HVM_SUPPORT:
-    SKIP("Block-attach not supported for HVM domains")
-
-# Create a domain (default XmTestDomain, with our ramdisk)
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
-
-domain = XmTestDomain(extraConfig=config)
-
-try:
-    console = domain.start()
-except DomainError, e:
-    FAIL(str(e))
-
-# Attach a console to it
-try:
-    console.setHistorySaveCmds(value=True)
-    # Run 'ls'
-    run = console.runCmd("ls")
-except ConsoleError, e:
-    saveLog(console.getHistory())
-    FAIL(str(e))
-
-
-# Explicitly label the 1st resource
-ACMLabelResource(resource1, resourcelabel1)
-block_utils.block_attach(domain, resource1, "xvda1")
-
-try:
-    run1 = console.runCmd("cat /proc/partitions")
-except ConsoleError, e:
-    FAIL(str(e))
-
-#Explicitly label the 2nd resource
-ACMLabelResource(resource2, resourcelabel2)
-#Cannot call block_attach here since we legally may fail the command
-status, output = traceCommand("xm block-attach %s %s %s w" %
-                               (domain.getName(), resource2, "xvda2" ))
-
-for i in range(10):
-    if block_utils.get_state(domain, "xvda2") == 4:
-        break
-    time.sleep(1)
-
-try:
-    run2 = console.runCmd("cat /proc/partitions")
-except ConsoleError, e:
-    FAIL(str(e))
-
-# Close the console
-domain.closeConsole()
-
-# Stop the domain (nice shutdown)
-domain.stop()
-
-if not re.search("xvda1",run1["output"]):
-    FAIL("Labeled device 'xvda1' is not actually connected to the domU")
-
-if not re.search("xvda1",run2["output"]):
-    FAIL("Labeled device 'xbvda1' has disappeared?!")
-
-if re.search("xvda2",run2["output"]):
-    FAIL("Labeled device 'xvda2' is connected to the domU but should not be")
diff --git a/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py b/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py
deleted file mode 100644
index a9e19a2153..0000000000
--- a/tools/xm-test/tests/security-acm/07_security-acm_pol_update.py
+++ /dev/null
@@ -1,313 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-
-# Test to exercise the xspolicy class
-
-from XmTestLib import xapi
-from XmTestLib.XenAPIDomain import XmTestAPIDomain
-from XmTestLib import *
-from xen.xend import XendAPIConstants
-import xen.util.xsm.xsm as security
-from xen.util import acmpolicy, xsconstants
-from xen.util.acmpolicy import ACMPolicy
-from xen.xend.XendDomain import DOM0_UUID
-from XmTestLib.acm import *
-
-import commands
-import os
-import base64
-
-if not isACMEnabled():
-    SKIP("Not running this test since ACM not enabled.")
-
-try:
-    session = xapi.connect()
-except:
-    SKIP("Skipping this test since xm is not using the Xen-API.")
-
-xm_test = {}
-xm_test['policyname'] = "xm-test"
-xm_test['date'] = "Fri Sep 29 14:44:38 2006"
-xm_test['url']  = None
-
-vm_label_red   = "%s:xm-test:red" % xsconstants.ACM_POLICY_ID
-vm_label_green = "%s:xm-test:green" % xsconstants.ACM_POLICY_ID
-vm_label_blue  = "%s:xm-test:blue" % xsconstants.ACM_POLICY_ID
-vm_label_sys   = "%s:xm-test:SystemManagement" % xsconstants.ACM_POLICY_ID
-
-vm_label_black = "%s:xm-test:black"
-
-session = xapi.connect()
-
-oldlabel = session.xenapi.VM.get_security_label(DOM0_UUID)
-
-ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
-                                               vm_label_sys,
-                                               oldlabel)
-if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
-    FAIL("(0) Domain-0 label for '%s' has unexpected failure: %08x" %
-         (vm_label_sys, int(ssidref)))
-print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
-
-
-xstype = session.xenapi.XSPolicy.get_xstype()
-if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
-    SKIP("ACM not enabled/compiled in Xen")
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-if not policystate.has_key('xs_ref'):
-    FAIL("get_xspolicy must return member 'xs_ref'")
-
-xs_ref = policystate['xs_ref']
-if xs_ref != "":
-    origpolicyxml = session.xenapi.ACMPolicy.get_xml(xs_ref)
-else:
-    origpolicyxml = ""
-
-f = open("xm-test-security_policy.xml", 'r')
-if f:
-    newpolicyxml = f.read()
-    f.close()
-else:
-    FAIL("Could not read 'xm-test' policy")
-
-try:
-    os.unlink("/boot/xm-test.bin")
-except:
-    pass
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-
-if int(policystate['type']) == 0:
-    policystate = session.xenapi.XSPolicy.set_xspolicy(
-                          xsconstants.XS_POLICY_ACM,
-                          newpolicyxml,
-                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
-                          1)
-    if int(policystate['flags']) == -1:
-        FAIL("Could not set the new policy.")
-
-print "state of policy = %s " % policystate
-
-rc = session.xenapi.XSPolicy.activate_xspolicy(
-                          policystate['xs_ref'],
-                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT)
-if int(rc) != xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT:
-    FAIL("Could not activate the current policy: rc = %08x" % int(rc))
-
-if not os.path.exists("/boot/xm-test.bin"):
-    FAIL("Binary policy was not installed. Check grub config file.")
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-
-if int(policystate['flags']) != xsconstants.XS_INST_BOOT | \
-                                xsconstants.XS_INST_LOAD:
-    FAIL("Flags (%x) are not indicating the correct state of the policy.",
-         int(policystate['flags']))
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-xs_ref = policystate['xs_ref']
-
-newpolicyxml = None
-f = open("xm-test-new-security_policy.xml", 'r')
-if f:
-    newpolicyxml = f.read()
-    f.close()
-else:
-    FAIL("Could not read 'xm-test-new' policy")
-
-cur_acmpol = ACMPolicy(xml = policystate['repr'])
-new_acmpol = ACMPolicy(xml = newpolicyxml)
-
-new_acmpol.update_frompolicy(cur_acmpol)
-
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                          new_acmpol.toxml(),
-                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
-                          1)
-
-f = open("xm-test-security_policy.xml", 'r')
-if f:
-    newpolicyxml = f.read()
-    f.close()
-else:
-    FAIL("Could not read 'xm-test-new' policy")
-
-cur_acmpol = new_acmpol
-new_acmpol = ACMPolicy(xml = newpolicyxml)
-
-new_acmpol.update_frompolicy(cur_acmpol)
-
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                          new_acmpol.toxml(),
-                          xsconstants.XS_INST_LOAD | xsconstants.XS_INST_BOOT,
-                          1)
-
-dom0_lab = session.xenapi.VM.get_security_label(DOM0_UUID)
-
-ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
-                                               vm_label_sys, dom0_lab)
-if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
-    FAIL("(1) Domain-0 label for '%s' has unexpected failure: %08x" %
-         (vm_label_sys, int(ssidref)))
-print "ssidref for '%s' is 0x%08x" % (vm_label_sys, int(ssidref))
-
-try:
-    ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
-                                                   vm_label_black,
-                                                   vm_label_sys)
-    FAIL("Could set label '%s', although it's not in the policy. "
-         "ssidref=%s" % (vm_label_black, ssidref))
-except:
-    pass
-
-ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
-                                               vm_label_red,
-                                               vm_label_sys)
-if int(ssidref) <= 0:
-    FAIL("(2) Domain-0 label for '%s' has unexpected failure: %08x" %
-         (vm_label_red, int(ssidref)))
-print "ssidref for '%s' is 0x%08x" % (vm_label_red, int(ssidref))
-
-label = session.xenapi.VM.get_security_label(DOM0_UUID)
-
-if label != vm_label_red:
-    FAIL("Dom0 label '%s' not as expected '%s'" % (label, vm_label_red))
-
-
-ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
-                                               vm_label_sys,
-                                               vm_label_red)
-if int(ssidref) <= 0 or int(ssidref) != 0x00010001:
-    FAIL("(3) Domain-0 label for '%s' has unexpected failure: %08x" %
-         (vm_label_sys, int(ssidref)))
-
-label = session.xenapi.VM.get_security_label(DOM0_UUID)
-
-if label != vm_label_sys:
-    FAIL("Dom0 label '%s' not as expected '%s'" % label, dom0_label)
-
-header = session.xenapi.ACMPolicy.get_header(xs_ref)
-
-if header['policyname'] != xm_test['policyname']:
-    FAIL("Name in header is '%s', expected is '%s'." %
-         (header['policyname'],xm_test['policyname']))
-if header['date'] != xm_test['date']:
-    FAIL("Date in header is '%s', expected is '%s'." %
-         (header['date'],xm_test['date']))
-if header.has_key("url") and header['url' ] != xm_test['url' ]:
-    FAIL("URL  in header is '%s', expected is '%s'." %
-         (header['url' ],xm_test['url' ]))
-
-# Create another domain
-try:
-    # XmTestAPIDomain tries to establish a connection to XenD
-    domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_blue })
-except Exception, e:
-    SKIP("Skipping test. Error: %s" % str(e))
-
-
-vm_uuid = domain.get_uuid()
-
-res = session.xenapi.VM.get_security_label(vm_uuid)
-if res != vm_label_blue:
-    FAIL("VM has security label '%s', expected is '%s'" %
-         (res, vm_label_blue))
-
-try:
-    domain.start(noConsole=True)
-except:
-    FAIL("Could not create domain")
-
-
-# Attempt to relabel the running domain
-ssidref = session.xenapi.VM.set_security_label(vm_uuid,
-                                               vm_label_red,
-                                               vm_label_blue)
-if int(ssidref) <= 0:
-    FAIL("Could not relabel running domain to '%s'." % vm_label_red)
-
-# user domain is 'red', dom0 is current 'SystemManagement'.
-# Try to move domain-0 to 'red' first, then to 'blue'.
-
-# Moving domain-0 to 'red' should work
-ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
-                                               vm_label_red,
-                                               vm_label_sys)
-if int(ssidref) <= 0:
-    FAIL("Could not label domain-0 '%s'" % vm_label_red)
-
-# Moving the guest domain to 'blue' should not work due to conflict set
-try:
-    ssidref = session.xenapi.VM.set_security_label(vm_uuid,
-                                                   vm_label_blue,
-                                                   vm_label_red)
-    FAIL("Could label guest domain with '%s', although this is in a conflict "
-         "set. ssidref=%x" % (vm_label_blue,int(ssidref)))
-except:
-    pass
-
-label = session.xenapi.VM.get_security_label(vm_uuid)
-if label != vm_label_red:
-    FAIL("User domain has wrong label '%s', expected '%s'." %
-         (label, vm_label_red))
-
-label = session.xenapi.VM.get_security_label(DOM0_UUID)
-if label != vm_label_red:
-    FAIL("Domain-0 has wrong label '%s'; expected '%s'." %
-         (label, vm_label_red))
-
-ssidref = session.xenapi.VM.set_security_label(DOM0_UUID,
-                                               vm_label_sys,
-                                               vm_label_red)
-if int(ssidref) < 0:
-    FAIL("Could not set the domain-0 security label to '%s'." %
-         (vm_label_sys))
-
-# pause the domain and relabel it...
-session.xenapi.VM.pause(vm_uuid)
-
-label = session.xenapi.VM.get_security_label(vm_uuid)
-if label != vm_label_red:
-    FAIL("User domain has wrong label '%s', expected '%s'." %
-         (label, vm_label_red))
-
-ssidref = session.xenapi.VM.set_security_label(vm_uuid,
-                                               vm_label_blue,
-                                               vm_label_red)
-print "guest domain new label '%s'; ssidref is 0x%08x" % \
-      (vm_label_blue, int(ssidref))
-if int(ssidref) <= 0:
-    FAIL("Could not label guest domain with '%s'" % (vm_label_blue))
-
-label = session.xenapi.VM.get_security_label(vm_uuid)
-if label != vm_label_blue:
-    FAIL("User domain has wrong label '%s', expected '%s'." %
-         (label, vm_label_blue))
-
-session.xenapi.VM.unpause(vm_uuid)
-
-rc = session.xenapi.VM.suspend(vm_uuid)
-
-ssidref = session.xenapi.VM.set_security_label(vm_uuid,
-                                               vm_label_green,
-                                               vm_label_blue)
-print "guest domain new label '%s'; ssidref is 0x%08x" % \
-      (vm_label_green, int(ssidref))
-if int(ssidref) < 0:
-    FAIL("Could not label suspended guest domain with '%s'" % (vm_label_blue))
-
-label = session.xenapi.VM.get_security_label(vm_uuid)
-if label != vm_label_green:
-    FAIL("User domain has wrong label '%s', expected '%s'." %
-         (label, vm_label_green))
-
-
-rc = session.xenapi.VM.resume(vm_uuid, False)
-
-label = session.xenapi.VM.get_security_label(vm_uuid)
-if label != vm_label_green:
-    FAIL("User domain has wrong label '%s', expected '%s'." %
-         (label, vm_label_green))
diff --git a/tools/xm-test/tests/security-acm/08_security-acm_xapi.py b/tools/xm-test/tests/security-acm/08_security-acm_xapi.py
deleted file mode 100644
index 469bf35a91..0000000000
--- a/tools/xm-test/tests/security-acm/08_security-acm_xapi.py
+++ /dev/null
@@ -1,358 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2007
-# Author: Stefan Berger <stefanb@us.ibm.com>
-
-# VM creation test with labeled VM and labeled VDI
-
-from XmTestLib import xapi
-from XmTestLib.XenAPIDomain import XmTestAPIDomain
-from XmTestLib import *
-from xen.xend import XendAPIConstants
-import xen.util.xsm.xsm as security
-from xen.util import acmpolicy, xsconstants
-import commands
-import os
-
-vm_label_red    = xsconstants.ACM_POLICY_ID + ":xm-test:red"
-vm_label_green  = xsconstants.ACM_POLICY_ID + ":xm-test:green"
-vdi_label_red   = xsconstants.ACM_POLICY_ID + ":xm-test:red"
-vdi_label_green = xsconstants.ACM_POLICY_ID + ":xm-test:green"
-
-vm_label_unlabeled = xsconstants.ACM_POLICY_ID + ":xm-test:" + \
-                     acmpolicy.ACM_LABEL_UNLABELED
-
-vdi_file = "/dev/ram0"
-vdi_path = "phy:" + vdi_file
-
-#Note:
-# If during the suspend/resume operations 'red' instead of 'green' is
-# used, the Chinese Wall policy goes into effect and disallows the
-# suspended VM from being resumed...
-
-try:
-    # XmTestAPIDomain tries to establish a connection to XenD
-    domain = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_red })
-except Exception, e:
-    SKIP("Skipping test. Error: %s" % str(e))
-
-vm_uuid = domain.get_uuid()
-
-session = xapi.connect()
-xstype = session.xenapi.XSPolicy.get_xstype()
-if int(xstype) & xsconstants.XS_POLICY_ACM == 0:
-    SKIP("ACM not enabled/compiled in Xen")
-
-f = open("xm-test-security_policy.xml", 'r')
-if f:
-    newpolicyxml = f.read()
-    f.close()
-else:
-    FAIL("Could not read 'xm-test' policy")
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-if int(policystate['type']) == 0:
-    policystate = session.xenapi.XSPolicy.set_xspolicy(
-                         xsconstants.XS_POLICY_ACM,
-                         newpolicyxml,
-                         xsconstants.XS_INST_BOOT | xsconstants.XS_INST_LOAD,
-                         True)
-    if int(policystate['flags']) == -1:
-        FAIL("Could not set the new policy.")
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-print "policystate = %s" % policystate
-acm_ref = policystate['xs_ref']
-
-
-#
-# Some tests with labeling of resources
-#
-labels = session.xenapi.XSPolicy.get_labeled_resources()
-print "labeled resources are:\n%s" % labels
-
-oldlabel = session.xenapi.XSPolicy.get_resource_label("phy:/dev/ram0")
-
-rc  = session.xenapi.XSPolicy.set_resource_label("phy:/dev/ram0", "",
-                                                 oldlabel)
-
-rc  = session.xenapi.XSPolicy.set_resource_label("phy:/dev/ram0",
-                                                 vdi_label_green,
-                                                 "")
-
-res = session.xenapi.XSPolicy.get_resource_label("phy:/dev/ram0")
-if res != vdi_label_green:
-    FAIL("(1) get_resource_label returned unexpected result %s, wanted %s" %
-         (res, vdi_label_green))
-
-
-#
-# Some test with labeling of VMs
-#
-
-res = session.xenapi.VM.get_security_label(vm_uuid)
-
-if res != vm_label_red:
-    FAIL("VM.get_security_label returned wrong security label '%s'." % res)
-
-res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
-                                                    vm_label_red)
-
-res = session.xenapi.VM.get_security_label(vm_uuid)
-if res != vm_label_green:
-     FAIL("VM does not show expected label '%s' but '%s'." %
-          (vm_label_green, res))
-
-res = session.xenapi.VM.set_security_label(vm_uuid, "", vm_label_green)
-if int(res) != 0:
-    FAIL("Should be able to unlabel the domain while it's halted.")
-
-res = session.xenapi.VM.get_security_label(vm_uuid)
-if res != vm_label_unlabeled:
-    FAIL("Unexpected VM security label after removal: %s" % res)
-
-res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_red, res)
-if int(res) != 0:
-    FAIL("Could not label the VM to '%s'" % vm_label_red)
-
-res = session.xenapi.VM.get_security_label(vm_uuid)
-if res != vm_label_red:
-    FAIL("VM has wrong label '%s', expected '%s'." % (res, vm_label_red))
-
-sr_uuid = session.xenapi.SR.get_by_name_label("Local")
-if len(sr_uuid) == 0:
-    FAIL("Could not get a handle on SR 'Local'")
-
-
-vdi_rec = { 'name_label'  : "My disk",
-            'SR'          : sr_uuid[0],
-            'virtual_size': 0,
-            'sector_size' : 512,
-            'parent'      : '',
-            'SR_name'     : 'Local',
-            'type'        : 'system',
-            'shareable'   : False,
-            'read-only'   : False,
-            'other_config': {'location': vdi_path}
-}
-
-vdi_ref = session.xenapi.VDI.create(vdi_rec)
-
-res = session.xenapi.VDI.get_name_label(vdi_ref)
-if res != vdi_rec['name_label']:
-    print "Destroying VDI now"
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("VDI_get_name_label return wrong information")
-
-res = session.xenapi.VDI.get_record(vdi_ref)
-print "vdi_record : %s" % res
-
-oldlabel = session.xenapi.XSPolicy.get_resource_label(vdi_path)
-
-#Remove label from VDI device
-rc  = session.xenapi.XSPolicy.set_resource_label(vdi_path,
-                                                 "",
-                                                 oldlabel)
-
-
-# Attach a VBD to the VM
-
-vbd_rec = { 'VM'      : vm_uuid,
-            'VDI'     : vdi_ref,
-            'device'  : "xvda1",
-            'mode'    : 1,
-            'bootable': 0,
-}
-
-vbd_ref = session.xenapi.VBD.create(vbd_rec)
-
-res = session.xenapi.VBD.get_record(vbd_ref)
-
-try:
-    domain.start(noConsole=True)
-    # Should not get here.
-    print "Destroying VDI now"
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Could start VM with a VBD that it is not allowed to access.")
-except:
-    pass
-    print "Could not create domain -- that's good"
-
-
-#
-# Label the VDI now
-#
-
-rc    = session.xenapi.VDI.set_security_label(vdi_ref, vdi_label_red, "")
-if int(rc) != 0:
-    FAIL("Could not set the VDI label to '%s'" % vdi_label_red)
-
-label = session.xenapi.VDI.get_security_label(vdi_ref)
-if label != vdi_label_red:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Unexpected label '%s' on VDI, wanted '%s'" %
-         (label, vdi_label_red))
-
-rc    = session.xenapi.VDI.set_security_label(vdi_ref, "", label)
-if int(rc) != 0:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Should be able to unlabel VDI.")
-
-rc    = session.xenapi.VDI.set_security_label(vdi_ref, vdi_label_red, "")
-if int(rc) != 0:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Should be able to label VDI with label '%s'" % vid_label_red)
-
-res   = session.xenapi.XSPolicy.get_resource_label(vdi_path)
-if res != vdi_label_red:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("(2) get_resource_label on %s returned unexpected result %s, wanted '%s'" %
-         (vdi_path, res, vdi_label_red))
-
-res = session.xenapi.VDI.get_security_label(vdi_ref)
-if res != vdi_label_red:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("get_security_label returned unexpected result %s, wanted '%s'" %
-         (res, vdi_label_red))
-
-domain.start(noConsole=True)
-
-console = domain.getConsole()
-
-domName = domain.getName()
-
-try:
-    run = console.runCmd("cat /proc/interrupts")
-except ConsoleError, e:
-    saveLog(console.getHistory())
-    FAIL("Could not access proc-filesystem")
-
-# Try to relabel while VM is running
-try:
-    res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
-                                               vm_label_red)
-except:
-    pass
-
-lab = session.xenapi.VM.get_security_label(vm_uuid)
-if lab == vm_label_green:
-    FAIL("Should not be able to reset the security label while running."
-         "tried to set to %s, got %s, old: %s" %(vm_label_green, lab,
-         vm_label_red))
-
-
-#
-# Suspend the domain and relabel it
-#
-
-try:
-    status, output = traceCommand("xm suspend %s" % domName,
-                                  timeout=30)
-except TimeoutError, e:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Failure from suspending VM: %s." % str(e))
-
-# Try to relabel while VM is suspended -- this should work
-
-rc  = session.xenapi.VM.set_security_label(vm_uuid, vm_label_green,
-                                           vm_label_red)
-if int(rc) != 0:
-    FAIL("VM security label could not be set to %s" % vm_label_green)
-
-res = session.xenapi.VM.get_security_label(vm_uuid)
-if res != vm_label_green:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("VM (suspended) has label '%s', expected '%s'." %
-         (res, vm_label_green))
-
-status, output = traceCommand("xm list")
-
-#Try to resume now -- should fail due to denied access to block device
-try:
-    status, output = traceCommand("xm resume %s" % domName,
-                                  timeout=30)
-    if status == 0:
-        session.xenapi.VDI.destroy(vdi_ref)
-        FAIL("Could resume re-labeled VM: %s" % output)
-except Exception, e:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("1. Error resuming the VM: %s." % str(e))
-
-# Relabel VM so it would resume
-res = session.xenapi.VM.set_security_label(vm_uuid, vm_label_red,
-                                           vm_label_green)
-if int(res) != 0:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Could not relabel VM to have it resume.")
-
-res = session.xenapi.VM.get_security_label(vm_uuid)
-if res != vm_label_red:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("VM (suspended) has label '%s', expected '%s'." %
-         (res, vm_label_red))
-
-
-# Relabel the resource so VM should not resume
-try:
-    session.xenapi.XSPolicy.set_resource_label(vdi_path,
-                                               vdi_label_green,
-                                               "")
-except Exception, e:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Could not label the VDI to '%s': %x" %
-         (vdi_label_green, int(rc)))
-
-#Try to resume now -- should fail due to denied access to block device
-try:
-    status, output = traceCommand("xm resume %s" % domName,
-                                  timeout=30)
-    if status == 0:
-        session.xenapi.VDI.destroy(vdi_ref)
-        FAIL("Could resume re-labeled VM: %s" % output)
-except Exception, e:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("2. Error resuming the VM: %s." % str(e))
-
-
-status, output = traceCommand("xm list")
-
-# Relabel the resource so VM can resume
-try:
-    session.xenapi.XSPolicy.set_resource_label(vdi_path,
-                                               vdi_label_red,
-                                               vdi_label_green)
-except Exception, e:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Could not label the resource to '%s'" % vid_label_red)
-
-res = session.xenapi.XSPolicy.get_resource_label(vdi_path)
-if res != vdi_label_red:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("'%s' has label '%s', expected '%s'." %
-         (vdi_path, res, vdi_label_red))
-
-#Try to resume now -- should work
-try:
-    status, output = traceCommand("xm resume %s" % domName,
-                                  timeout=30)
-    if status != 0:
-        session.xenapi.VDI.destroy(vdi_ref)
-        FAIL("Could not resume re-labeled VM: %s" % output)
-except Exception, e:
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("3. Error resuming the VM: %s." % str(e))
-
-
-status, output = traceCommand("xm list")
-
-console = domain.getConsole()
-
-try:
-    run = console.runCmd("cat /proc/interrupts")
-except ConsoleError, e:
-    saveLog(console.getHistory())
-    session.xenapi.VDI.destroy(vdi_ref)
-    FAIL("Could not access proc-filesystem")
-
-domain.stop()
-domain.destroy()
diff --git a/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py b/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py
deleted file mode 100644
index cc53baf2b9..0000000000
--- a/tools/xm-test/tests/security-acm/09_security-acm_pol_update.py
+++ /dev/null
@@ -1,437 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2007
-# Author: Stefan Berger <stefanb@us.ibm.com>
-
-# Test to exercise the xspolicy and acmpolicy classes
-
-from XmTestLib import xapi
-from XmTestLib.XenAPIDomain import XmTestAPIDomain
-from XmTestLib.acm import *
-from XmTestLib import *
-from xen.xend import XendAPIConstants
-import xen.util.xsm.xsm as security
-from xen.util import xsconstants
-from xen.util.acmpolicy import ACMPolicy
-from xen.xend.XendDomain import DOM0_UUID
-import base64
-import struct
-import time
-
-if not isACMEnabled():
-    SKIP("Not running this test since ACM not enabled.")
-
-try:
-    session = xapi.connect()
-except:
-    SKIP("Skipping this test since xm is not using the Xen-API.")
-
-def typestoxml(types):
-    res = ""
-    for t in types:
-        res += "<Type>" + t + "</Type>\n"
-    return res
-
-def cfstoxml(cfss):
-    res = ""
-    for cfs in cfss:
-        res += "<Conflict name=\"" + cfs['name'] + "\">\n" + \
-               typestoxml(cfs['chws']) + \
-               "</Conflict>\n"
-    return res
-
-def vmlabelstoxml(vmlabels, vmfrommap):
-    res = ""
-    for vmlabel in vmlabels:
-        res += "<VirtualMachineLabel>\n"
-        if vmlabel['name'] in vmfrommap:
-            res += "<Name from=\""+ vmfrommap[vmlabel['name']] +"\">"
-        else:
-            res += "<Name>"
-        res += vmlabel['name'] + "</Name>\n"
-        res += "<SimpleTypeEnforcementTypes>\n" + \
-                  typestoxml(vmlabel['stes']) + \
-               "</SimpleTypeEnforcementTypes>\n"
-        if vmlabel.has_key('chws'):
-            res += "<ChineseWallTypes>\n" + \
-                     typestoxml(vmlabel['chws']) + \
-                   "</ChineseWallTypes>\n"
-        res += "</VirtualMachineLabel>\n"
-    return res
-
-
-def reslabelstoxml(reslabels, resfrommap):
-    res = ""
-    for reslabel in reslabels:
-        res += "<ResourceLabel>\n"
-        if resfrommap.has_key(reslabel['name']):
-            res += "<Name from=\""+ resfrommap[reslabel['name']] +"\">"
-        else:
-            res += "<Name>"
-        res += reslabel['name'] + "</Name>\n"
-        res += "<SimpleTypeEnforcementTypes>\n" + \
-                  typestoxml(reslabel['stes']) + \
-               "</SimpleTypeEnforcementTypes>\n"
-        res += "</ResourceLabel>\n"
-    return res
-
-def create_xml_policy(hdr, stes, chws,
-                      vmlabels, vmfrommap, bootstrap,
-                      reslabels, resfrommap,
-                      cfss):
-    hdr_xml ="<PolicyHeader>\n" + \
-             "  <PolicyName>" + hdr['name'] + "</PolicyName>\n" + \
-             "  <Version>"    + hdr['version'] + "</Version>\n" + \
-             "  <FromPolicy>\n" + \
-             "    <PolicyName>" + hdr['oldname'] + "</PolicyName>\n" + \
-             "    <Version>"    + hdr['oldversion'] + "</Version>\n" + \
-             "  </FromPolicy>\n" + \
-               "</PolicyHeader>\n"
-
-    stes_xml = "<SimpleTypeEnforcement>\n" + \
-               "  <SimpleTypeEnforcementTypes>\n" + \
-                typestoxml(stes) + \
-               "  </SimpleTypeEnforcementTypes>\n" + \
-               "</SimpleTypeEnforcement>\n"
-
-    chws_xml = "<ChineseWall>\n" + \
-               "  <ChineseWallTypes>\n" + \
-               typestoxml(chws) + \
-               "  </ChineseWallTypes>\n" + \
-               "  <ConflictSets>\n" + \
-               cfstoxml(cfss) + \
-               "  </ConflictSets>\n" + \
-               "</ChineseWall>\n"
-
-    subjlabel_xml = "<SubjectLabels bootstrap=\""+ bootstrap +"\">\n" + \
-                     vmlabelstoxml(vmlabels, vmfrommap) + \
-                    "</SubjectLabels>\n"
-    objlabel_xml  = "<ObjectLabels>\n" + \
-                      reslabelstoxml(reslabels, resfrommap) + \
-                    "</ObjectLabels>\n"
-
-    policyxml = "<?xml version=\"1.0\" ?>\n" + \
-                "<SecurityPolicyDefinition xmlns=\"http://www.ibm.com\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.ibm.com ../../security_policy.xsd \">\n" + \
-                hdr_xml + \
-                stes_xml + \
-                chws_xml + \
-                "<SecurityLabelTemplate>\n" + \
-                  subjlabel_xml + \
-                  objlabel_xml + \
-                "</SecurityLabelTemplate>\n" + \
-                "</SecurityPolicyDefinition>\n"
-    return policyxml
-
-
-def update_hdr(hdr):
-    """ Update the version information in the header """
-    hdr['oldversion'] = hdr['version']
-    hdr['oldname']    = hdr['name']
-    vers = hdr['version']
-    tmp = vers.split('.')
-    if len(tmp) == 1:
-        rev = 1
-    else:
-        rev = int(tmp[1]) + 1
-    hdr['version'] = "%s.%s" % (tmp[0],rev)
-    return hdr
-
-session = xapi.connect()
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-
-if policystate['repr'] != "":
-    print "%s" % policystate['repr']
-    try:
-        acmpol = ACMPolicy(xml=policystate['repr'])
-    except Exception, e:
-        FAIL("Failure from creating ACMPolicy object: %s" % str(e))
-    oldname = acmpol.policy_dom_get_hdr_item("PolicyName")
-    oldvers = acmpol.policy_dom_get_hdr_item("Version")
-    tmp = oldvers.split(".")
-    if len(tmp) == 1:
-        rev = 1
-    else:
-        rev = int(tmp[1]) + 1
-    newvers = "%s.%s" % (tmp[0], str(rev))
-    print "old name/version = %s/%s" % (oldname, oldvers)
-else:
-    oldname = None
-    oldvers = None
-    newvers = "1.0"
-
-# Initialize the header of the policy
-hdr = {}
-hdr['name'] = "xm-test"
-hdr['version'] = newvers
-
-if oldname:
-    hdr['oldname']    = oldname
-    if oldvers and oldvers != "":
-        hdr['oldversion'] = oldvers
-
-stes = [ "SystemManagement", "red", "green", "blue" ]
-
-chws = [ "SystemManagement", "red", "green", "blue" ]
-
-bootstrap = "SystemManagement"
-
-vm_sysmgt = { 'name' : bootstrap,
-              'stes' : stes,
-              'chws' : [ "SystemManagement" ] }
-
-vm_red   = { 'name' : "red" ,
-             'stes' : ["red"] ,
-             'chws' : ["red"] }
-
-vm_green = { 'name' : "green" ,
-             'stes' : ["green"] ,
-             'chws' : ["green"] }
-
-vm_blue  = { 'name' : "blue" ,
-             'stes' : ["blue"] ,
-             'chws' : ["blue"] }
-
-res_red   = { 'name' : "red" ,
-              'stes' : ["red"] }
-
-res_green = { 'name' : "green" ,
-              'stes' : ["green"] }
-
-res_blue  = { 'name' : "blue" ,
-              'stes' : ["blue"] }
-
-cfs_1 = { 'name' : "CFS1",
-          'chws' : [ "red" , "blue" ] }
-
-vmlabels = [ vm_sysmgt, vm_red, vm_green, vm_blue ]
-vmfrommap = {}
-reslabels = [ res_red, res_green, res_blue ]
-resfrommap = {}
-cfss = [ cfs_1 ]
-
-vm_label_red    = xsconstants.ACM_POLICY_ID + ":xm-test:red"
-vm_label_green  = xsconstants.ACM_POLICY_ID + ":xm-test:green"
-vm_label_blue   = xsconstants.ACM_POLICY_ID + ":xm-test:blue"
-
-xml = create_xml_policy(hdr, stes, chws,
-                        vmlabels, vmfrommap, bootstrap,
-                        reslabels, resfrommap,
-                        cfss)
-
-xml_good = xml
-
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   xml,
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-
-print "\n\npolicystate = %s" % policystate
-
-policystate = session.xenapi.XSPolicy.get_xspolicy()
-
-#
-# Create two non-conflicting domains and start them
-#
-try:
-    # XmTestAPIDomain tries to establish a connection to XenD
-    domain1 = XmTestAPIDomain(extraConfig={ 'security_label' : vm_label_red })
-except Exception, e:
-    SKIP("Skipping test. Error: %s" % str(e))
-
-
-vm1_uuid = domain1.get_uuid()
-
-try:
-    domain1.start(noConsole=True)
-except:
-    FAIL("Could not start domain1")
-
-print "Domain 1 started"
-
-try:
-    # XmTestAPIDomain tries to establish a connection to XenD
-    domain2 = XmTestAPIDomain(extraConfig={'security_label': vm_label_green })
-except Exception, e:
-    SKIP("Skipping test. Error: %s" % str(e))
-
-vm2_uuid = domain2.get_uuid()
-
-try:
-    domain2.start(noConsole=True)
-except:
-    FAIL("Could not start domain1")
-
-
-print "Domain 2 started"
-
-# Try a policy that would put the two domains into conflict
-cfs_2 = { 'name' : "CFS1",
-          'chws' : [ "red" , "green" ] }
-cfss = [ cfs_2 ]
-
-hdr = update_hdr(hdr)
-xml = create_xml_policy(hdr, stes, chws,
-                        vmlabels, vmfrommap, bootstrap,
-                        reslabels, resfrommap,
-                        cfss)
-
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   xml,
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-
-print "policystate %s" % policystate
-
-if int(policystate['xserr']) == 0:
-    FAIL("(1) Should not have been able to set this policy.")
-
-if len(policystate['errors']) == 0:
-    FAIL("Hypervisor should have reported errros.")
-
-errors = base64.b64decode(policystate['errors'])
-
-print "Length of errors: %d" % len(errors)
-a,b = struct.unpack("!ii",errors)
-
-print "%08x , %08x" % (a,b)
-
-#
-# Create a faulty policy with 'red' STE missing
-#
-
-cfss = [ cfs_1 ]
-stes = [ "SystemManagement", "green", "blue" ]
-
-xml = create_xml_policy(hdr, stes, chws,
-                        vmlabels, vmfrommap, bootstrap,
-                        reslabels, resfrommap,
-                        cfss)
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   xml,
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-
-print "Result from setting faulty(!) policy with STE 'red' missing:"
-print "policystate %s" % policystate
-
-if int(policystate['xserr']) == 0:
-    FAIL("(2) Should not have been able to set this policy.")
-
-#
-# Create a policy with 'red' VMLabel missing -- should not work since it is
-# in use.
-#
-stes = [ "SystemManagement", "red", "green", "blue" ]
-
-vmlabels = [ vm_sysmgt, vm_green, vm_blue ]
-
-xml = create_xml_policy(hdr, stes, chws,
-                        vmlabels, vmfrommap, bootstrap,
-                        reslabels, resfrommap,
-                        cfss)
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   xml,
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-print "Result from setting faulty(!) policy with VMlabel 'red' missing:"
-print "policystate %s" % policystate
-
-if int(policystate['xserr']) == 0:
-    FAIL("(3) Should not have been able to set this policy.")
-
-#
-# Create a policy with 'blue' VMLabel missing -- should work since it is NOT
-# in use.
-#
-vmlabels = [ vm_sysmgt, vm_red, vm_green ]
-
-xml = create_xml_policy(hdr, stes, chws,
-                        vmlabels, vmfrommap, bootstrap,
-                        reslabels, resfrommap,
-                        cfss)
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   xml,
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-
-print "Result from setting (good) policy with VMlabel 'blue' missing:"
-print "policystate %s" % policystate
-
-if int(policystate['xserr']) != 0:
-    FAIL("(4) Should have been able to set this policy: %s" % xml)
-
-#
-# Move the green VMLabel towards blue which should put the running
-# domain with label blue into a conflict set
-#
-vmlabels = [ vm_sysmgt, vm_red, vm_blue ]
-
-vmfrommap = { "blue" : "green" }  #  new : old
-
-hdr = update_hdr(hdr)  #Needed, since last update was successful
-xml = create_xml_policy(hdr, stes, chws,
-                        vmlabels, vmfrommap, bootstrap,
-                        reslabels, resfrommap,
-                        cfss)
-
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   xml,
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-
-print "policystate %s" % policystate
-
-if int(policystate['xserr']) == 0:
-    FAIL("(5) Should not have been able to set this policy.")
-
-#
-# Try to install a policy where a VM label has a faulty VM label name
-#
-vmfrommap = {}
-
-vm_blue_bad = { 'name' : "blue:x" ,   # ':' no allowed
-                'stes' : ["blue"],
-                'chws' : ["blue"] }
-
-vmlabels = [ vm_sysmgt, vm_red, vm_green, vm_blue_bad ]
-
-xml = create_xml_policy(hdr, stes, chws,
-                        vmlabels, vmfrommap, bootstrap,
-                        reslabels, resfrommap,
-                        cfss)
-
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   xml,
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-
-print "policystate %s" % policystate
-
-if int(policystate['xserr']) == 0:
-    FAIL("(6) Should not have been able to set this policy.")
-
-#
-# End the test by installing the initial policy again
-#
-
-cur_version = hdr['version']
-(maj, min) = cur_version.split(".")
-cur_version = "%s.%s" % (maj, str(int(min)-1) )
-
-orig_acmpol = ACMPolicy(xml=xml_good)
-orig_acmpol.set_frompolicy_version(cur_version)
-orig_acmpol.set_policy_version(hdr['version'])
-
-policystate = session.xenapi.XSPolicy.set_xspolicy(xsconstants.XS_POLICY_ACM,
-                                                   orig_acmpol.toxml(),
-                                                   xsconstants.XS_INST_LOAD,
-                                                   True)
-
-if int(policystate['xserr']) != 0:
-    FAIL("(END) Should have been able to set this policy.")
-
-domain1.stop()
-domain2.stop()
-domain1.destroy()
-domain2.destroy()
diff --git a/tools/xm-test/tests/security-acm/10_security-acm_pol_update.py b/tools/xm-test/tests/security-acm/10_security-acm_pol_update.py
deleted file mode 100644
index b60a62eae2..0000000000
--- a/tools/xm-test/tests/security-acm/10_security-acm_pol_update.py
+++ /dev/null
@@ -1,354 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-#
-
-import os
-import re
-import commands
-from XmTestLib import *
-import xen.util.xsm.xsm as security
-from xen.util import xsconstants
-
-def checkLabel(labeldata, expected, domname):
-    if labeldata[0] != expected[0]:
-        FAIL("Policy type of %s is bad: %s" % (domname, labeldata[0]))
-    if labeldata[1] != expected[1]:
-        FAIL("Unexpected policy indicated in %s label '%s', expected '%s'." %
-             (domname, labeldata[1], expected[1]))
-    if labeldata[2] != expected[2]:
-        FAIL("%s does not have '%s' label but '%s'." %
-             (domname, expected[2], labeldata[2]))
-
-if not isACMEnabled():
-    SKIP("Not running this test since ACM not enabled.")
-
-testpolicy = "xm-test"
-testlabel1 = "blue"
-testlabel2 = "red"
-testlabel3 = "green"
-
-# reset the policy - must work
-s, o = traceCommand('xm resetpolicy')
-if s:
-    FAIL("Could not reset the policy.")
-
-
-s, o = traceCommand('xm resources | grep -E "^[phy|file|vlan]" ')
-resnames = []
-if o:
-    resnames = o.split('\n')
-
-    for res in resnames:
-        s, o = traceCommand('xm rmlabel res %s' % res)
-
-#Unlabeled domain must not start under xm-test policy
-domain_ul = XmTestDomain(name='domain-unlabeled',
-                         extraConfig=None)
-del domain_ul.config.opts['access_control']
-try:
-    domain_ul.start(noConsole=True)
-    FAIL("Could start unlabeled domain.")
-except DomainError, e:
-    domain_ul.destroy()   # delete if xend-managed domain
-
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1)}
-
-domain_blue = XmTestDomain(name='domain-%s' % testlabel1,
-                           extraConfig=config)
-
-config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel3)}
-
-domain_green = XmTestDomain(name='domain-%s' % testlabel3,
-                            extraConfig=config)
-
-
-try:
-    domain_blue.start(noConsole=True)
-except DomainError, e:
-    if verbose:
-        print e.extra
-    FAIL("Unable to start blue labeled test domain")
-
-s, o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
-if s:
-    FAIL("Could not get the label of Domain-0")
-
-info = o.strip().split(' ')
-labeldata = info[-1].split(':')
-if len(labeldata) != 3:
-    FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
-checkLabel(labeldata,
-           [xsconstants.ACM_POLICY_ID, "xm-test", "SystemManagement"],
-           "Domain-0")
-
-# Should be able to set the Domain-0 label to blue
-s, o = traceCommand('xm addlabel blue mgt Domain-0')
-if s:
-    FAIL("Could not set the label of Domain-0 to 'blue'.")
-s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
-if s:
-    FAIL("Could not get the label of Domain-0")
-
-info = o.strip().split()
-labeldata = info[-1].split(':')
-if len(labeldata) != 3:
-     FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
-checkLabel(labeldata,
-           [xsconstants.ACM_POLICY_ID, "xm-test", "blue"],
-           "Domain-0")
-
-#Should not be able to set the label of Domain-0 to 'red'
-s, o = traceCommand('xm addlabel red mgt Domain-0')
-if not s:
-    FAIL("Could set the label of Domain-0 to 'red'.")
-s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
-if s:
-    FAIL("Could not get the label of Domain-0")
-
-info = o.strip().split()
-labeldata = info[-1].split(':')
-if len(labeldata) != 3:
-     FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
-checkLabel(labeldata,
-           [xsconstants.ACM_POLICY_ID, "xm-test", "blue"],
-           "Domain-0")
-
-# Should be able to set the label of Domain-0 to 'SystemManagement'
-s, o = traceCommand('xm addlabel SystemManagement mgt Domain-0')
-if s:
-    FAIL("Could not set the label of Domain-0 to 'SystemManagement'.")
-s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
-if s:
-    FAIL("Could not get the label of Domain-0")
-
-info = o.strip().split()
-labeldata = info[-1].split(':')
-if len(labeldata) != 3:
-     FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
-checkLabel(labeldata,
-           [xsconstants.ACM_POLICY_ID, "xm-test", "SystemManagement"],
-           "Domain-0")
-
-#Label some resource green
-#Label some resource red
-#Label some resource blue
-
-s, o = traceCommand('xm addlabel green res file:/tmp/green')
-if s:
-    FAIL("Could not label resource 'green'.")
-s, o = traceCommand('xm addlabel red res file:/tmp/red')
-if s:
-    FAIL("Could not label resource 'red'.")
-s, o = traceCommand('xm addlabel blue res file:/tmp/blue')
-if s:
-    FAIL("Could not label resrouce 'blue'")
-
-# Start a green domain
-try:
-    domain_green.start(noConsole=True)
-except DomainError, e:
-    if verbose:
-        print e.extra
-    FAIL("Unable to start green labeled test domain")
-
-# Update the system's policy. Should not work, since blue Domain is running
-s, o = traceCommand('xm setpolicy ACM xm-test-update')
-if not s:
-    FAIL("Could set the new policy even though blue domain is running.")
-
-s, o = traceCommand('xm getpolicy | grep "Policy name"')
-info = o.split(':')
-poldata = [i.strip() for i in info]
-
-if poldata[1] != 'xm-test':
-   FAIL("Policy should be 'xm-test' but is now '%s'." % poldata[1])
-
-# Check that no labels have changed
-s, o = traceCommand('xm getlabel res file:/tmp/green')
-if s:
-    FAIL("Could not get label for green resource.")
-label=o.strip()
-if label != 'ACM:xm-test:green':
-    FAIL("Label for green resource has changed to '%s', but should not have,"
-         % label)
-
-s, o = traceCommand('xm getlabel res file:/tmp/red')
-if s:
-    FAIL("Could not get label for red resource.")
-label=o.strip()
-if label != 'ACM:xm-test:red':
-    FAIL("Label for red resource has changed to '%s', but should not have,"
-         % label)
-
-s, o = traceCommand('xm getlabel res file:/tmp/blue')
-if s:
-    FAIL("Could not get label for blue resource.")
-label=o.strip()
-if label != 'ACM:xm-test:blue':
-    FAIL("Label for blue resource has changed to '%s', but should not have,"
-         % label)
-
-# Terminate blue domain
-domain_blue.destroy()
-
-# Update the system's policy. Should work and rename the green domain to GREEN
-s, o = traceCommand('xm setpolicy ACM xm-test-update')
-if s:
-    FAIL("Could not set the new policy.")
-
-acm.setCurrentPolicy('xm-test-update')
-
-s, o = traceCommand('xm getpolicy | grep "Policy name"')
-info = o.split(':')
-poldata = [i.strip() for i in info]
-
-if poldata[1] != 'xm-test-update':
-   FAIL("Policy should be 'xm-test-update' but is now '%s'." % poldata[1])
-
-# check previously labeled resources
-#  - green should be GREEN now
-#  - blue should have been invalidated
-#  - red should be the same
-s, o = traceCommand('xm getlabel res file:/tmp/green')
-if s:
-    FAIL("Could not get label for GREEN resource.")
-label=o.strip()
-if label != 'ACM:xm-test-update:GREEN':
-    FAIL("Label for green resource has changed to '%s', but should not have,"
-         % label)
-
-s, o = traceCommand('xm getlabel res file:/tmp/red')
-if s:
-    FAIL("Could not get label for RED resource.")
-label=o.strip()
-if label != 'ACM:xm-test-update:RED':
-    FAIL("Label for RED resource has changed to '%s', expected is '%s',"
-         % (label,'ACM:xm-test-update:RED'))
-
-s, o = traceCommand('xm getlabel res file:/tmp/blue')
-if s:
-    FAIL("Could not get label for blue resource.")
-label=o.strip()
-if label != 'INV_ACM:xm-test:blue':
-    FAIL("Label for blue resource has changed to '%s', expected is '%s',"
-         % (label,'INV_ACM:xm-test:blue'))
-
-config = {"access_control":"policy=%s,label=%s" % ('xm-test-update',testlabel2)}
-
-domain_red = XmTestDomain(name='domain-%s' % testlabel2,
-                          extraConfig=config)
-
-# Start the red domain - should not work due to conflict set
-try:
-    domain_red.start(noConsole=True)
-    FAIL("Could start 'red' domain.")
-except DomainError, e:
-    domain_red.destroy()  # delete if xend-managed domain
-
-# Terminate GREEN domain
-domain_green.destroy()
-
-# Start the red domain - should work now
-try:
-    domain_red.start()
-except DomainError, e:
-    FAIL("Could not start 'red' domain.")
-
-# Stop the red domain.
-domain_red.destroy()
-
-# Make Domain-0 GREEN
-s, o = traceCommand('xm addlabel GREEN mgt Domain-0')
-if s:
-    FAIL("Could not set Domain-0's label to 'GREEN'.")
-s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
-if s:
-    FAIL("Could not get the label of Domain-0")
-
-info = o.strip().split()
-labeldata = info[-1].split(':')
-if len(labeldata) != 3:
-    FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
-checkLabel(labeldata,
-           [xsconstants.ACM_POLICY_ID, "xm-test-update", "GREEN"],
-           "Domain-0")
-
-# Start the red domain - should not work due to conflict set
-try:
-    domain_red.start()
-    FAIL("Could start 'red' domain.")
-except DomainError, e:
-    pass
-
-# Set Domain-0's domain to SystemManagement
-s, o = traceCommand('xm addlabel SystemManagement mgt Domain-0')
-if s:
-    FAIL("Could not set Domain-0's label to SystemManagement.")
-
-# Start unlabeled domain - should work
-try:
-    domain_ul.start(noConsole=True)
-except DomainError, e:
-    FAIL("Could not start unlabeled domain.")
-
-# Stop red domain
-domain_red.destroy()
-
-# Stop unlabeled domain
-domain_ul.destroy()
-
-
-# Mark Domain-0 as red. This must not have any effect on the later reset
-s, o = traceCommand('xm addlabel red mgt Domain-0')
-if s:
-    FAIL("Could not set Domain-0's label to 'red'.")
-s,o = traceCommand('xm list Domain-0 --label | grep -E "Domain-0"')
-if s:
-    FAIL("Could not get the label of Domain-0")
-
-info = o.strip().split()
-labeldata = info[-1].split(':')
-if len(labeldata) != 3:
-    FAIL("Label of Domain-0 is bad: '%s'" % info[-1])
-checkLabel(labeldata,
-           [xsconstants.ACM_POLICY_ID, "xm-test-update", "red"],
-           "Domain-0")
-
-# reset the policy - should work
-s, o = traceCommand('xm resetpolicy')
-if s:
-    FAIL("Could not reset the policy.")
-
-# check previously labeled resources
-#  - GREEN should be invalid
-#  - red should be invalid
-#  - blue should be invalid
-s, o = traceCommand('xm getlabel res file:/tmp/green')
-if s:
-    FAIL("Could not get label for GREEN resource.")
-label=o.strip()
-exp='INV_ACM:xm-test-update:GREEN'
-if label != exp:
-    FAIL("Label for green resource has changed to '%s', but should be '%s',"
-         % (label, exp))
-
-s, o = traceCommand('xm getlabel res file:/tmp/red')
-if s:
-    FAIL("Could not get label for RED resource.")
-label=o.strip()
-exp='INV_ACM:xm-test-update:RED'
-if label != exp:
-    FAIL("Label for RED resource has changed to '%s', but should be '%s'.,"
-         % (label, exp))
-
-s, o = traceCommand('xm getlabel res file:/tmp/blue')
-if s:
-    FAIL("Could not get label for blue resource.")
-label=o.strip()
-exp='INV_ACM:xm-test:blue'
-if label != exp:
-    FAIL("Label for blue resource has changed to '%s', but should be '%s',"
-         % (label, exp))
diff --git a/tools/xm-test/tests/security-acm/Makefile.am b/tools/xm-test/tests/security-acm/Makefile.am
deleted file mode 100644
index 9bbb856a1b..0000000000
--- a/tools/xm-test/tests/security-acm/Makefile.am
+++ /dev/null
@@ -1,33 +0,0 @@
-SUBDIRS =
-
-TESTS = 01_security-acm_basic.test \
-        02_security-acm_dom_start.test \
-        03_security-acm_dom_conflict.test \
-        04_security-acm_dom_res.test \
-        05_security-acm_dom_res_conf.test \
-        06_security-acm_dom_block_attach.test \
-        07_security-acm_pol_update.test \
-        08_security-acm_xapi.test \
-        09_security-acm_pol_update.test \
-        10_security-acm_pol_update.test
-
-XFAIL_TESTS =
-
-EXTRA_DIST = $(TESTS) $(XFAIL_TESTS) acm_utils.py
-TESTS_ENVIRONMENT=@TENV@
-
-%.test: %.py
-	cp $< $@
-	chmod +x $@
-	@if [ -d /etc/xen/acm-security/policies ]; then \
-		cp -f xm-test-security_policy.xml       \
-		      xm-test-update-security_policy.xml\
-		      /etc/xen/acm-security/policies;   \
-	fi;
-
-clean-local: am_config_clean-local
-
-am_config_clean-local:
-	rm -f *test
-	rm -f *log
-	rm -f *~
diff --git a/tools/xm-test/tests/security-acm/acm_utils.py b/tools/xm-test/tests/security-acm/acm_utils.py
deleted file mode 100644
index 457aa840b3..0000000000
--- a/tools/xm-test/tests/security-acm/acm_utils.py
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) International Business Machines Corp., 2006
-# Author: Stefan Berger <stefanb@us.ibm.com>
-
-from XmTestLib import *
-from XmTestLib.acm import *
-
-testpolicy = "xm-test"
-vmconfigfile = "/tmp/xm-test.conf"
-
-if not isACMEnabled():
-    SKIP("Not running this test since ACM not enabled.")
-
-setCurrentPolicy(testpolicy)
-ACMSetPolicy()
diff --git a/tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml b/tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml
deleted file mode 100644
index abc49e1ef5..0000000000
--- a/tools/xm-test/tests/security-acm/xm-test-new-security_policy.xml
+++ /dev/null
@@ -1,97 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Auto-generated by ezPolicy        -->
-<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
-    <PolicyHeader>
-        <PolicyName>xm-test</PolicyName>
-        <Date>Fri Sep 29 14:44:38 2006</Date>
-        <Version>1.1</Version>
-        <FromPolicy>
-            <PolicyName>xm-test</PolicyName>
-            <Version>1.0</Version>
-        </FromPolicy>
-    </PolicyHeader>
-
-    <SimpleTypeEnforcement>
-        <SimpleTypeEnforcementTypes>
-            <Type>SystemManagement</Type>
-            <Type>green</Type>
-            <Type>red</Type>
-        </SimpleTypeEnforcementTypes>
-    </SimpleTypeEnforcement>
-
-    <ChineseWall priority="PrimaryPolicyComponent">
-        <ChineseWallTypes>
-            <Type>SystemManagement</Type>
-            <Type>green</Type>
-            <Type>red</Type>
-        </ChineseWallTypes>
-
-        <ConflictSets>
-            <Conflict name="RER">
-                <Type>green</Type>
-                <Type>red</Type>
-            </Conflict>
-       </ConflictSets>
-    </ChineseWall>
-
-    <SecurityLabelTemplate>
-        <SubjectLabels bootstrap="SystemManagement">
-            <VirtualMachineLabel>
-                <Name>SystemManagement</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>SystemManagement</Type>
-                    <Type>green</Type>
-                    <Type>red</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>SystemManagement</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name>green</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>green</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>green</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name>red</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>red</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>red</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-        </SubjectLabels>
-
-        <ObjectLabels>
-            <ResourceLabel>
-                <Name>SystemManagement</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>SystemManagement</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name>green</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>green</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name>red</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>red</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-        </ObjectLabels>
-    </SecurityLabelTemplate>
-</SecurityPolicyDefinition>
diff --git a/tools/xm-test/tests/security-acm/xm-test-security_policy.xml b/tools/xm-test/tests/security-acm/xm-test-security_policy.xml
deleted file mode 100644
index 9c84a83626..0000000000
--- a/tools/xm-test/tests/security-acm/xm-test-security_policy.xml
+++ /dev/null
@@ -1,111 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Auto-generated by ezPolicy        -->
-<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
-    <PolicyHeader>
-        <PolicyName>xm-test</PolicyName>
-        <Date>Fri Sep 29 14:44:38 2006</Date>
-        <Version>1.0</Version>
-    </PolicyHeader>
-
-    <SimpleTypeEnforcement>
-        <SimpleTypeEnforcementTypes>
-            <Type>SystemManagement</Type>
-            <Type>green</Type>
-            <Type>red</Type>
-            <Type>blue</Type>
-        </SimpleTypeEnforcementTypes>
-    </SimpleTypeEnforcement>
-
-    <ChineseWall priority="PrimaryPolicyComponent">
-        <ChineseWallTypes>
-            <Type>SystemManagement</Type>
-            <Type>green</Type>
-            <Type>red</Type>
-            <Type>blue</Type>
-        </ChineseWallTypes>
-
-        <ConflictSets>
-            <Conflict name="RER">
-                <Type>blue</Type>
-                <Type>red</Type>
-            </Conflict>
-       </ConflictSets>
-    </ChineseWall>
-
-    <SecurityLabelTemplate>
-        <SubjectLabels bootstrap="SystemManagement">
-            <VirtualMachineLabel>
-                <Name>SystemManagement</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>SystemManagement</Type>
-                    <Type>green</Type>
-                    <Type>red</Type>
-                    <Type>blue</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>SystemManagement</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name>green</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>green</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>green</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name>red</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>red</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>red</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name>blue</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>blue</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>blue</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-        </SubjectLabels>
-
-        <ObjectLabels>
-            <ResourceLabel>
-                <Name>SystemManagement</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>SystemManagement</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name>green</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>green</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name>red</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>red</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name>blue</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>blue</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-        </ObjectLabels>
-    </SecurityLabelTemplate>
-</SecurityPolicyDefinition>
diff --git a/tools/xm-test/tests/security-acm/xm-test-update-security_policy.xml b/tools/xm-test/tests/security-acm/xm-test-update-security_policy.xml
deleted file mode 100644
index 8c026c9da2..0000000000
--- a/tools/xm-test/tests/security-acm/xm-test-update-security_policy.xml
+++ /dev/null
@@ -1,117 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Auto-generated by ezPolicy        -->
-<SecurityPolicyDefinition xmlns="http://www.ibm.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.ibm.com ../../security_policy.xsd ">
-    <PolicyHeader>
-        <PolicyName>xm-test-update</PolicyName>
-        <Date>Fri Sep 29 14:44:38 2006</Date>
-        <Version>1.1</Version>
-        <FromPolicy>
-            <PolicyName>xm-test</PolicyName>
-            <Version>1.0</Version>
-        </FromPolicy>
-    </PolicyHeader>
-
-    <SimpleTypeEnforcement>
-        <SimpleTypeEnforcementTypes>
-            <Type>SystemManagement</Type>
-            <Type>GREEN</Type>
-            <Type>red</Type>
-            <Type>__UNLABELED__</Type>
-        </SimpleTypeEnforcementTypes>
-    </SimpleTypeEnforcement>
-
-    <ChineseWall priority="PrimaryPolicyComponent">
-        <ChineseWallTypes>
-            <Type>SystemManagement</Type>
-            <Type>GREEN</Type>
-            <Type>red</Type>
-            <Type>__UNLABELED__</Type>
-        </ChineseWallTypes>
-
-        <ConflictSets>
-            <Conflict name="RER">
-                <Type>GREEN</Type>
-                <Type>red</Type>
-            </Conflict>
-       </ConflictSets>
-    </ChineseWall>
-
-    <SecurityLabelTemplate>
-        <SubjectLabels bootstrap="SystemManagement">
-            <VirtualMachineLabel>
-                <Name>SystemManagement</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>SystemManagement</Type>
-                    <Type>GREEN</Type>
-                    <Type>red</Type>
-                    <Type>__UNLABELED__</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>SystemManagement</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name from="green">GREEN</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>GREEN</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>GREEN</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name>red</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>red</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>red</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-            <VirtualMachineLabel>
-                <Name>__UNLABELED__</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>__UNLABELED__</Type>
-                </SimpleTypeEnforcementTypes>
-                <ChineseWallTypes>
-                    <Type>__UNLABELED__</Type>
-                </ChineseWallTypes>
-            </VirtualMachineLabel>
-
-        </SubjectLabels>
-
-        <ObjectLabels>
-            <ResourceLabel>
-                <Name>SystemManagement</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>SystemManagement</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name from="green">GREEN</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>GREEN</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name from="red">RED</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>red</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-            <ResourceLabel>
-                <Name>__UNLABELED__</Name>
-                <SimpleTypeEnforcementTypes>
-                    <Type>__UNLABELED__</Type>
-                </SimpleTypeEnforcementTypes>
-            </ResourceLabel>
-
-        </ObjectLabels>
-    </SecurityLabelTemplate>
-</SecurityPolicyDefinition>