---
 tools/python/xen/util/security.py |   22 ++++++++++++++++++++++
 tools/python/xen/xm/addlabel.py   |    9 ++-------
 tools/python/xen/xm/getlabel.py   |    3 +++
 tools/python/xen/xm/rmlabel.py    |    3 +++
 4 files changed, 30 insertions(+), 7 deletions(-)

Index: xen-unstable.hg-shype/tools/python/xen/util/security.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/util/security.py
+++ xen-unstable.hg-shype/tools/python/xen/util/security.py
@@ -596,12 +596,34 @@ def get_res_security_details(resource):
     return (label, ssidref, policy)
 
 
+def unify_resname(resource):
+    """Makes all resource locations absolute. In case of physical
+    resources, '/dev/' is added to local file names"""
+
+    # sanity check on resource name
+    (type, resfile) = resource.split(":")
+    if type == "phy":
+        if not resfile.startswith("/"):
+            resfile = "/dev/" + resfile
+
+    #file: resources must specified with absolute path
+    if (not resfile.startswith("/")) or (not os.path.exists(resfile)):
+        err("Invalid resource.")
+
+    # from here on absolute file names with resources
+    resource = type + ":" + resfile
+    return resource
+
+
 def res_security_check(resource, domain_label):
     """Checks if the given resource can be used by the given domain
        label.  Returns 1 if the resource can be used, otherwise 0.
     """
     rtnval = 1
 
+    #build canonical resource name
+    resource = unify_resname(resource)
+
     # if security is on, ask the hypervisor for a decision
     if on():
         (label, ssidref, policy) = get_res_security_details(resource)
Index: xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/addlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/addlabel.py
@@ -72,13 +72,8 @@ def add_resource_label(label, resource, 
     # sanity check: make sure this label can be instantiated later on
     ssidref = security.label2ssidref(label, policyref, 'res')
 
-    # sanity check on resource name
-    (type, file) = resource.split(":")
-    if type == "phy":
-        file = "/dev/" + file
-    if not os.path.exists(file):
-        print "Invalid resource '"+resource+"'"
-        return
+    #build canonical resource name
+    resource = security.unify_resname(resource)
 
     # see if this resource is already in the file
     access_control = {}
Index: xen-unstable.hg-shype/tools/python/xen/xm/getlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/getlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/getlabel.py
@@ -33,6 +33,9 @@ def help():
 def get_resource_label(resource):
     """Gets the resource label
     """
+    #build canonical resource name
+    resource = security.unify_resname(resource)
+
     # read in the resource file
     file = security.res_label_filename
     try:
Index: xen-unstable.hg-shype/tools/python/xen/xm/rmlabel.py
===================================================================
--- xen-unstable.hg-shype.orig/tools/python/xen/xm/rmlabel.py
+++ xen-unstable.hg-shype/tools/python/xen/xm/rmlabel.py
@@ -37,6 +37,9 @@ def help():
 def rm_resource_label(resource):
     """Removes a resource label from the global resource label file.
     """
+    #build canonical resource name
+    resource = security.unify_resname(resource)
+
     # read in the resource file
     file = security.res_label_filename
     try: