1 files changed, 38 insertions, 0 deletions

diff --git a/tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py b/tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py
new file mode 100644
index 0000000000..89c6b5974c
--- /dev/null
+++ b/tools/xm-test/tests/security-acm/05_security-acm_dom_res_conf.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+
+# Copyright (C) International Business Machines Corp., 2006
+# Author: Stefan Berger <stefanb@us.ibm.com>
+#
+# A test that tries to start a domain using a resource that it is
+# not supposed to be able to use due to its labeling
+
+from XmTestLib import *
+from acm_utils import *
+import commands
+import os
+
+testlabel1 = "blue"
+resource1  = "phy:ram0"
+
+config = {"access_control":"policy=%s,label=%s" % (testpolicy,testlabel1),
+          "disk"          :"%s,hda1,w" % (resource1)}
+
+domain1 = XmTestDomain(name="domain-%s" % testlabel1,
+                       extraConfig=config)
+
+ACMLabelResource(resource1,"red")
+
+try:
+    domain1.start(noConsole=True)
+    # Should never get here
+    FAIL("Could start domain with resource that it is not supposed to access.")
+except DomainError, e:
+    #That's exactly what we want to have in this case
+    dummy = 0
+
+# Verify via dry-run
+status, output = traceCommand("xm dry-run /tmp/xm-test.conf | "
+                              "grep -v \"Dry Run\"")
+if not re.search("%s: DENIED" %resource1, output):
+    FAIL("'xm dry-run' did not show expected result that operation was NOT "
+         "permitted: \n%s" % output)