[apparmor] [PATCH 07/14] add support for rule prefixes to change_profile rules

John Johansen john.johansen at canonical.com
Thu Jun 4 10:56:36 UTC 2015


Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_regex.c                              | 16 ++++-
 parser/parser_yacc.y                               | 18 ++++--
 .../tst/simple_tests/change_profile/a_bare_ok_1.sd |  7 +++
 parser/tst/simple_tests/change_profile/a_ok_1.sd   |  7 +++
 parser/tst/simple_tests/change_profile/a_ok_2.sd   |  7 +++
 parser/tst/simple_tests/change_profile/a_ok_3.sd   |  7 +++
 parser/tst/simple_tests/change_profile/a_ok_4.sd   | 10 ++++
 parser/tst/simple_tests/change_profile/a_ok_5.sd   | 10 ++++
 parser/tst/simple_tests/change_profile/a_ok_6.sd   | 11 ++++
 parser/tst/simple_tests/change_profile/a_ok_7.sd   | 11 ++++
 parser/tst/simple_tests/change_profile/a_ok_8.sd   | 11 ++++
 .../tst/simple_tests/change_profile/a_re_ok_1.sd   | 24 ++++++++
 .../tst/simple_tests/change_profile/a_re_ok_2.sd   | 69 ++++++++++++++++++++++
 .../tst/simple_tests/change_profile/a_re_ok_3.sd   | 67 +++++++++++++++++++++
 .../tst/simple_tests/change_profile/a_re_ok_4.sd   | 51 ++++++++++++++++
 .../tst/simple_tests/change_profile/a_re_ok_5.sd   | 25 ++++++++
 .../tst/simple_tests/change_profile/a_re_ok_6.sd   | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/a_re_ok_7.sd   | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/a_re_ok_8.sd   | 45 ++++++++++++++
 parser/tst/simple_tests/change_profile/aa_ok_1.sd  |  7 +++
 parser/tst/simple_tests/change_profile/aa_ok_2.sd  |  7 +++
 parser/tst/simple_tests/change_profile/aa_ok_3.sd  |  7 +++
 parser/tst/simple_tests/change_profile/aa_ok_4.sd  | 10 ++++
 parser/tst/simple_tests/change_profile/aa_ok_5.sd  | 10 ++++
 parser/tst/simple_tests/change_profile/aa_ok_6.sd  | 11 ++++
 parser/tst/simple_tests/change_profile/aa_ok_7.sd  | 11 ++++
 parser/tst/simple_tests/change_profile/aa_ok_8.sd  | 11 ++++
 .../tst/simple_tests/change_profile/aa_re_ok_1.sd  | 24 ++++++++
 .../tst/simple_tests/change_profile/aa_re_ok_2.sd  | 69 ++++++++++++++++++++++
 .../tst/simple_tests/change_profile/aa_re_ok_3.sd  | 67 +++++++++++++++++++++
 .../tst/simple_tests/change_profile/aa_re_ok_4.sd  | 51 ++++++++++++++++
 .../tst/simple_tests/change_profile/aa_re_ok_5.sd  | 25 ++++++++
 .../tst/simple_tests/change_profile/aa_re_ok_6.sd  | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/aa_re_ok_7.sd  | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/aa_re_ok_8.sd  | 45 ++++++++++++++
 .../tst/simple_tests/change_profile/aao_bad_6.sd   |  7 +++
 .../simple_tests/change_profile/ad_bare_ok_1.sd    |  7 +++
 parser/tst/simple_tests/change_profile/ad_ok_1.sd  |  7 +++
 parser/tst/simple_tests/change_profile/ad_ok_2.sd  |  7 +++
 parser/tst/simple_tests/change_profile/ad_ok_3.sd  |  7 +++
 parser/tst/simple_tests/change_profile/ad_ok_4.sd  | 10 ++++
 parser/tst/simple_tests/change_profile/ad_ok_5.sd  | 10 ++++
 parser/tst/simple_tests/change_profile/ad_ok_6.sd  | 11 ++++
 parser/tst/simple_tests/change_profile/ad_ok_7.sd  | 11 ++++
 parser/tst/simple_tests/change_profile/ad_ok_8.sd  | 11 ++++
 .../tst/simple_tests/change_profile/ad_re_ok_1.sd  | 24 ++++++++
 .../tst/simple_tests/change_profile/ad_re_ok_2.sd  | 69 ++++++++++++++++++++++
 .../tst/simple_tests/change_profile/ad_re_ok_3.sd  | 67 +++++++++++++++++++++
 .../tst/simple_tests/change_profile/ad_re_ok_4.sd  | 51 ++++++++++++++++
 .../tst/simple_tests/change_profile/ad_re_ok_5.sd  | 25 ++++++++
 .../tst/simple_tests/change_profile/ad_re_ok_6.sd  | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/ad_re_ok_7.sd  | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/ad_re_ok_8.sd  | 45 ++++++++++++++
 .../tst/simple_tests/change_profile/ado_bad_1.sd   |  7 +++
 .../simple_tests/change_profile/ado_bare_bad_1.sd  |  7 +++
 .../tst/simple_tests/change_profile/allow_ok_1.sd  |  7 +++
 .../tst/simple_tests/change_profile/allow_ok_2.sd  |  7 +++
 .../tst/simple_tests/change_profile/allow_ok_3.sd  |  7 +++
 .../tst/simple_tests/change_profile/allow_ok_4.sd  | 10 ++++
 .../tst/simple_tests/change_profile/allow_ok_5.sd  | 10 ++++
 .../tst/simple_tests/change_profile/allow_ok_6.sd  | 11 ++++
 .../tst/simple_tests/change_profile/allow_ok_7.sd  | 11 ++++
 .../tst/simple_tests/change_profile/allow_ok_8.sd  | 11 ++++
 .../simple_tests/change_profile/allow_re_ok_1.sd   | 24 ++++++++
 .../simple_tests/change_profile/allow_re_ok_2.sd   | 69 ++++++++++++++++++++++
 .../simple_tests/change_profile/allow_re_ok_3.sd   | 67 +++++++++++++++++++++
 .../simple_tests/change_profile/allow_re_ok_4.sd   | 51 ++++++++++++++++
 .../simple_tests/change_profile/allow_re_ok_5.sd   | 25 ++++++++
 .../simple_tests/change_profile/allow_re_ok_6.sd   | 65 ++++++++++++++++++++
 .../simple_tests/change_profile/allow_re_ok_7.sd   | 65 ++++++++++++++++++++
 .../simple_tests/change_profile/allow_re_ok_8.sd   | 45 ++++++++++++++
 .../simple_tests/change_profile/allowo_bad_1.sd    |  7 +++
 .../tst/simple_tests/change_profile/ao_badh_1.sd   |  7 +++
 .../tst/simple_tests/change_profile/d_bare_ok_1.sd |  7 +++
 parser/tst/simple_tests/change_profile/d_ok_1.sd   |  7 +++
 parser/tst/simple_tests/change_profile/d_ok_2.sd   |  7 +++
 parser/tst/simple_tests/change_profile/d_ok_3.sd   |  7 +++
 parser/tst/simple_tests/change_profile/d_ok_4.sd   | 10 ++++
 parser/tst/simple_tests/change_profile/d_ok_5.sd   | 10 ++++
 parser/tst/simple_tests/change_profile/d_ok_6.sd   | 11 ++++
 parser/tst/simple_tests/change_profile/d_ok_7.sd   | 11 ++++
 parser/tst/simple_tests/change_profile/d_ok_8.sd   | 11 ++++
 .../tst/simple_tests/change_profile/d_re_ok_1.sd   | 24 ++++++++
 .../tst/simple_tests/change_profile/d_re_ok_2.sd   | 69 ++++++++++++++++++++++
 .../tst/simple_tests/change_profile/d_re_ok_3.sd   | 67 +++++++++++++++++++++
 .../tst/simple_tests/change_profile/d_re_ok_4.sd   | 51 ++++++++++++++++
 .../tst/simple_tests/change_profile/d_re_ok_5.sd   | 25 ++++++++
 .../tst/simple_tests/change_profile/d_re_ok_6.sd   | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/d_re_ok_7.sd   | 65 ++++++++++++++++++++
 .../tst/simple_tests/change_profile/d_re_ok_8.sd   | 45 ++++++++++++++
 .../simple_tests/change_profile/da_bare_bad_1.sd   |  7 +++
 .../simple_tests/change_profile/do_bare_bad_1.sd   |  7 +++
 parser/tst/simple_tests/change_profile/o_bad_1.sd  |  7 +++
 93 files changed, 2529 insertions(+), 7 deletions(-)
 create mode 100644 parser/tst/simple_tests/change_profile/a_bare_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/a_re_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aa_re_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/aao_bad_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ad_re_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ado_bad_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allow_re_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/allowo_bad_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/ao_badh_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_bare_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_2.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_3.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_4.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_5.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_6.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_7.sd
 create mode 100644 parser/tst/simple_tests/change_profile/d_re_ok_8.sd
 create mode 100644 parser/tst/simple_tests/change_profile/da_bare_bad_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/do_bare_bad_1.sd
 create mode 100644 parser/tst/simple_tests/change_profile/o_bad_1.sd

diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 310af20..dc713c8 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -492,6 +492,8 @@ static int process_profile_name_xmatch(Profile *prof)
 	return TRUE;
 }
 
+static int warn_change_profile = 1;
+
 static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 {
 	std::string tbuf;
@@ -565,6 +567,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		std::string lbuf;
 		int index = 1;
 
+		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
+			/* don't have profile name here, so until this code
+			 * gets refactored just throw out a generic warning
+			 */
+			fprintf(stderr, "Warning kernel does not support audit modifier for change_profile rule.\n");
+			warn_change_profile = 0;
+		}
+
 		/* allow change_profile for all execs */
 		vec[0] = "/[^\\x00]*";
 
@@ -576,12 +586,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		vec[index++] = tbuf.c_str();
 
 		/* regular change_profile rule */
-		if (!dfarules->add_rule_vec(0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
+		if (!dfarules->add_rule_vec(entry->deny, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
 			return FALSE;
 		/* onexec rules - both rules are needed for onexec */
-		if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, 1, vec, dfaflags))
+		if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, 1, vec, dfaflags))
 			return FALSE;
-		if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, index, vec, dfaflags))
+		if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, index, vec, dfaflags))
 			return FALSE;
 	}
 	return TRUE;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index ce57153..df3ce15 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -785,13 +785,23 @@ rules:  rules opt_prefix unix_rule
 		$$ = $1;
 	}
 
-rules:	rules change_profile
+rules:	rules opt_prefix change_profile
 	{
 		PDEBUG("matched: rules change_profile\n");
-		PDEBUG("rules change_profile: (%s)\n", $2->name);
-		if (!$2)
+		PDEBUG("rules change_profile: (%s)\n", $3->name);
+		if (!$3)
 			yyerror(_("Assert: `change_profile' returned NULL."));
-		add_entry_to_policy($1, $2);
+		if ($2.owner)
+			yyerror(_("owner prefix not allowed on unix rules"));
+		if ($2.deny && $2.audit) {
+			$3->deny = 1;
+		} else if ($2.deny) {
+			$3->deny = 1;
+			$3->audit = $3->mode;
+		} else if ($2.audit) {
+			$3->audit = $3->mode;
+		}
+		add_entry_to_policy($1, $3);
 		$$ = $1;
 	};
 
diff --git a/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd
new file mode 100644
index 0000000..0763dc8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_1.sd b/parser/tst/simple_tests/change_profile/a_ok_1.sd
new file mode 100644
index 0000000..8dcac5a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_2.sd b/parser/tst/simple_tests/change_profile/a_ok_2.sd
new file mode 100644
index 0000000..5967dc8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_3.sd b/parser/tst/simple_tests/change_profile/a_ok_3.sd
new file mode 100644
index 0000000..fba4768
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_4.sd b/parser/tst/simple_tests/change_profile/a_ok_4.sd
new file mode 100644
index 0000000..025d9d3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_5.sd b/parser/tst/simple_tests/change_profile/a_ok_5.sd
new file mode 100644
index 0000000..9b336e5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_6.sd b/parser/tst/simple_tests/change_profile/a_ok_6.sd
new file mode 100644
index 0000000..57684d1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_7.sd b/parser/tst/simple_tests/change_profile/a_ok_7.sd
new file mode 100644
index 0000000..879be48
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_8.sd b/parser/tst/simple_tests/change_profile/a_ok_8.sd
new file mode 100644
index 0000000..01e6dc7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_1.sd b/parser/tst/simple_tests/change_profile/a_re_ok_1.sd
new file mode 100644
index 0000000..3ff2991
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_2.sd b/parser/tst/simple_tests/change_profile/a_re_ok_2.sd
new file mode 100644
index 0000000..a113def
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_3.sd b/parser/tst/simple_tests/change_profile/a_re_ok_3.sd
new file mode 100644
index 0000000..d60133e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_4.sd b/parser/tst/simple_tests/change_profile/a_re_ok_4.sd
new file mode 100644
index 0000000..a379127
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_5.sd b/parser/tst/simple_tests/change_profile/a_re_ok_5.sd
new file mode 100644
index 0000000..5dc2020
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_6.sd b/parser/tst/simple_tests/change_profile/a_re_ok_6.sd
new file mode 100644
index 0000000..436ee3c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_7.sd b/parser/tst/simple_tests/change_profile/a_re_ok_7.sd
new file mode 100644
index 0000000..3452d3a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_8.sd b/parser/tst/simple_tests/change_profile/a_re_ok_8.sd
new file mode 100644
index 0000000..6948928
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_1.sd b/parser/tst/simple_tests/change_profile/aa_ok_1.sd
new file mode 100644
index 0000000..4950d9a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_2.sd b/parser/tst/simple_tests/change_profile/aa_ok_2.sd
new file mode 100644
index 0000000..1ba7e74
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_3.sd b/parser/tst/simple_tests/change_profile/aa_ok_3.sd
new file mode 100644
index 0000000..208d807
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_4.sd b/parser/tst/simple_tests/change_profile/aa_ok_4.sd
new file mode 100644
index 0000000..9d139de
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_5.sd b/parser/tst/simple_tests/change_profile/aa_ok_5.sd
new file mode 100644
index 0000000..9ba2675
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_6.sd b/parser/tst/simple_tests/change_profile/aa_ok_6.sd
new file mode 100644
index 0000000..1218289
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_7.sd b/parser/tst/simple_tests/change_profile/aa_ok_7.sd
new file mode 100644
index 0000000..77c7be6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_8.sd b/parser/tst/simple_tests/change_profile/aa_ok_8.sd
new file mode 100644
index 0000000..786505b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd
new file mode 100644
index 0000000..7cfc027
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd
new file mode 100644
index 0000000..a8967f8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit allow change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd
new file mode 100644
index 0000000..1c533ae
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit allow change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd
new file mode 100644
index 0000000..297915a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit allow change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd
new file mode 100644
index 0000000..3e01b85
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit allow change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit allow change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd
new file mode 100644
index 0000000..7558377
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit allow change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd
new file mode 100644
index 0000000..b522af8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit allow change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd
new file mode 100644
index 0000000..6a15f5a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit allow change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit allow change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aao_bad_6.sd b/parser/tst/simple_tests/change_profile/aao_bad_6.sd
new file mode 100644
index 0000000..b4109d2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aao_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed on change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd
new file mode 100644
index 0000000..e236803
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_ok_1.sd
new file mode 100644
index 0000000..7df874c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_2.sd b/parser/tst/simple_tests/change_profile/ad_ok_2.sd
new file mode 100644
index 0000000..9ca265a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_3.sd b/parser/tst/simple_tests/change_profile/ad_ok_3.sd
new file mode 100644
index 0000000..ca95379
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_4.sd b/parser/tst/simple_tests/change_profile/ad_ok_4.sd
new file mode 100644
index 0000000..368389d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_5.sd b/parser/tst/simple_tests/change_profile/ad_ok_5.sd
new file mode 100644
index 0000000..40ac167
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_6.sd b/parser/tst/simple_tests/change_profile/ad_ok_6.sd
new file mode 100644
index 0000000..cd0af01
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_7.sd b/parser/tst/simple_tests/change_profile/ad_ok_7.sd
new file mode 100644
index 0000000..c5c44d0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_8.sd b/parser/tst/simple_tests/change_profile/ad_ok_8.sd
new file mode 100644
index 0000000..e2f04d7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd
new file mode 100644
index 0000000..15268bc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd
new file mode 100644
index 0000000..936f1de
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd
new file mode 100644
index 0000000..00bb710
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd
new file mode 100644
index 0000000..3e78370
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit deny change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd
new file mode 100644
index 0000000..960d6ca
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit deny change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit deny change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd
new file mode 100644
index 0000000..b3ef1c6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit deny change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd
new file mode 100644
index 0000000..db58ac4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit deny change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd
new file mode 100644
index 0000000..dd8aca3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit deny change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit deny change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ado_bad_1.sd b/parser/tst/simple_tests/change_profile/ado_bad_1.sd
new file mode 100644
index 0000000..535c15c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ado_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed on change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd
new file mode 100644
index 0000000..116f3c3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_1.sd b/parser/tst/simple_tests/change_profile/allow_ok_1.sd
new file mode 100644
index 0000000..77bec70
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_2.sd b/parser/tst/simple_tests/change_profile/allow_ok_2.sd
new file mode 100644
index 0000000..afa79e7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_3.sd b/parser/tst/simple_tests/change_profile/allow_ok_3.sd
new file mode 100644
index 0000000..3a96d7f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_4.sd b/parser/tst/simple_tests/change_profile/allow_ok_4.sd
new file mode 100644
index 0000000..668d422
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   allow change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_5.sd b/parser/tst/simple_tests/change_profile/allow_ok_5.sd
new file mode 100644
index 0000000..bd8aa5b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_6.sd b/parser/tst/simple_tests/change_profile/allow_ok_6.sd
new file mode 100644
index 0000000..7ad9c5a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_7.sd b/parser/tst/simple_tests/change_profile/allow_ok_7.sd
new file mode 100644
index 0000000..9e23302
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_8.sd b/parser/tst/simple_tests/change_profile/allow_ok_8.sd
new file mode 100644
index 0000000..ee57c06
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd
new file mode 100644
index 0000000..268cba2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd
new file mode 100644
index 0000000..76a5adb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd
new file mode 100644
index 0000000..b1dc557
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd
new file mode 100644
index 0000000..b656b2f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   allow change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd
new file mode 100644
index 0000000..0a4a6e5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION allow change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   allow change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd
new file mode 100644
index 0000000..1ca4134
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   allow change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd
new file mode 100644
index 0000000..6c6ee92
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   allow change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd
new file mode 100644
index 0000000..985e7f2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION allow change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   allow change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allowo_bad_1.sd b/parser/tst/simple_tests/change_profile/allowo_bad_1.sd
new file mode 100644
index 0000000..fde8f49
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allowo_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allow in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   allow owner change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ao_badh_1.sd b/parser/tst/simple_tests/change_profile/ao_badh_1.sd
new file mode 100644
index 0000000..090ba99
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ao_badh_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd
new file mode 100644
index 0000000..fcb0b5e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_1.sd b/parser/tst/simple_tests/change_profile/d_ok_1.sd
new file mode 100644
index 0000000..be02ede
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_2.sd b/parser/tst/simple_tests/change_profile/d_ok_2.sd
new file mode 100644
index 0000000..8004d88
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_3.sd b/parser/tst/simple_tests/change_profile/d_ok_3.sd
new file mode 100644
index 0000000..1ce12ad
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_4.sd b/parser/tst/simple_tests/change_profile/d_ok_4.sd
new file mode 100644
index 0000000..84269dc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_5.sd b/parser/tst/simple_tests/change_profile/d_ok_5.sd
new file mode 100644
index 0000000..a443277
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_6.sd b/parser/tst/simple_tests/change_profile/d_ok_6.sd
new file mode 100644
index 0000000..ef71d78
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_7.sd b/parser/tst/simple_tests/change_profile/d_ok_7.sd
new file mode 100644
index 0000000..4030e95
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_8.sd b/parser/tst/simple_tests/change_profile/d_ok_8.sd
new file mode 100644
index 0000000..cce3b32
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_1.sd b/parser/tst/simple_tests/change_profile/d_re_ok_1.sd
new file mode 100644
index 0000000..975b9b4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_2.sd b/parser/tst/simple_tests/change_profile/d_re_ok_2.sd
new file mode 100644
index 0000000..8d7f695
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_3.sd b/parser/tst/simple_tests/change_profile/d_re_ok_3.sd
new file mode 100644
index 0000000..0cfd4b1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_4.sd b/parser/tst/simple_tests/change_profile/d_re_ok_4.sd
new file mode 100644
index 0000000..5dcdd88
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   deny change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_5.sd b/parser/tst/simple_tests/change_profile/d_re_ok_5.sd
new file mode 100644
index 0000000..0972013
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION deny change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   deny change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_6.sd b/parser/tst/simple_tests/change_profile/d_re_ok_6.sd
new file mode 100644
index 0000000..970ea0a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   deny change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_7.sd b/parser/tst/simple_tests/change_profile/d_re_ok_7.sd
new file mode 100644
index 0000000..5a2319a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   deny change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_8.sd b/parser/tst/simple_tests/change_profile/d_re_ok_8.sd
new file mode 100644
index 0000000..cda4bed
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION deny change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   deny change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd
new file mode 100644
index 0000000..40d7770
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd
new file mode 100644
index 0000000..e8fa9ea
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/o_bad_1.sd b/parser/tst/simple_tests/change_profile/o_bad_1.sd
new file mode 100644
index 0000000..36a7f84
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/o_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile -> /bin/foo,
+}
-- 
2.1.4




More information about the AppArmor mailing list