[apparmor] [PATCH 13/14] Extend change_profile tests
John Johansen
john.johansen at canonical.com
Mon Jun 8 19:00:28 UTC 2015
commit 660878917ea9156ad4fd897880a2b3e0cbc2e5bd
Author: John Johansen <john.johansen at canonical.com>
Date: Thu May 28 23:50:08 2015 -0700
Extend change_profile tests
Signed-off-by: John Johansen <john.johansen at canonical.com>
diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index 700ac8b..3beed27 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -460,7 +460,9 @@ verify_binary_equality "Deny of ungranted perm" \
verify_binary_equality "change_profile == change_profile -> **" \
"/t { change_profile, }" \
- "/t { change_profile -> **, }"
+ "/t { change_profile -> **, }" \
+ "/t { change_profile /**, }" \
+ "/t { change_profile /** -> **, }"
if [ $fails -ne 0 -o $errors -ne 0 ]
then
diff --git a/parser/tst/simple_tests/change_profile/onx_a_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_a_bare_ok_1.sd
new file mode 100644
index 0000000..55d3e07
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_1.sd
new file mode 100644
index 0000000..4526f98
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_2.sd
new file mode 100644
index 0000000..529d15b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_3.sd
new file mode 100644
index 0000000..af779d1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_4.sd
new file mode 100644
index 0000000..ba08089
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_5.sd
new file mode 100644
index 0000000..dac8411
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_6.sd
new file mode 100644
index 0000000..3045a64
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_7.sd
new file mode 100644
index 0000000..c7bf408
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_8.sd
new file mode 100644
index 0000000..8078a7f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_1.sd
new file mode 100644
index 0000000..b476e08
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ audit change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ audit change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_2.sd
new file mode 100644
index 0000000..05d3c94
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ audit change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ audit change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ audit change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ audit change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ audit change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ audit change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ audit change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ audit change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ audit change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ audit change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ audit change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ audit change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ audit change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_3.sd
new file mode 100644
index 0000000..13777a2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ audit change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ audit change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ audit change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ audit change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ audit change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ audit change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ audit change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ audit change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ audit change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ audit change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ audit change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ audit change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ audit change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_4.sd
new file mode 100644
index 0000000..6198752
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ audit change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ audit change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ audit change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ audit change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ audit change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ audit change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ audit change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ audit change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ audit change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_5.sd
new file mode 100644
index 0000000..16f5266
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ audit change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+ audit change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+ audit change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_6.sd
new file mode 100644
index 0000000..b0418d6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ audit change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+ audit change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ audit change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ audit change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+ audit change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+ audit change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+ audit change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ audit change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ audit change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+ audit change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+ audit change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+ audit change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ audit change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_7.sd
new file mode 100644
index 0000000..6a38912
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+ audit change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ audit change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ audit change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ audit change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ audit change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ audit change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ audit change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ audit change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ audit change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ audit change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+ audit change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+ audit change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+ audit change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ audit change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_8.sd
new file mode 100644
index 0000000..db9d36d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+ audit change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ audit change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ audit change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ audit change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ audit change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ audit change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ audit change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ audit change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ audit change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ audit change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_1.sd
new file mode 100644
index 0000000..d1d7d4c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_2.sd
new file mode 100644
index 0000000..a1f8d7a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_3.sd
new file mode 100644
index 0000000..7b298c0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_4.sd
new file mode 100644
index 0000000..9013cde
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit allow change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_5.sd
new file mode 100644
index 0000000..bf5c4f4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit allow change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_6.sd
new file mode 100644
index 0000000..c409d65
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_7.sd
new file mode 100644
index 0000000..c795523
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_8.sd
new file mode 100644
index 0000000..ee3d461
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_1.sd
new file mode 100644
index 0000000..27d97e6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ audit allow change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ audit allow change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_2.sd
new file mode 100644
index 0000000..f23a7a3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ audit allow change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ audit allow change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ audit allow change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ audit allow change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ audit allow change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ audit allow change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ audit allow change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ audit allow change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ audit allow change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ audit allow change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ audit allow change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ audit allow change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ audit allow change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_3.sd
new file mode 100644
index 0000000..9df4f00
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit allow change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ audit allow change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ audit allow change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ audit allow change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ audit allow change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ audit allow change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ audit allow change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ audit allow change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ audit allow change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ audit allow change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ audit allow change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ audit allow change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ audit allow change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ audit allow change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_4.sd
new file mode 100644
index 0000000..b99b9a2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ audit allow change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ audit allow change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ audit allow change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ audit allow change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_5.sd
new file mode 100644
index 0000000..dc75744
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ audit allow change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+ audit allow change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+ audit allow change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_6.sd
new file mode 100644
index 0000000..1af2d9d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ audit allow change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+ audit allow change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ audit allow change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ audit allow change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+ audit allow change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+ audit allow change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+ audit allow change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ audit allow change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ audit allow change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+ audit allow change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+ audit allow change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+ audit allow change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ audit allow change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_7.sd
new file mode 100644
index 0000000..a23c949
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+ audit allow change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ audit allow change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ audit allow change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ audit allow change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ audit allow change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ audit allow change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ audit allow change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ audit allow change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ audit allow change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ audit allow change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+ audit allow change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+ audit allow change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+ audit allow change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ audit allow change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_8.sd
new file mode 100644
index 0000000..273b404
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+ audit allow change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ audit allow change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ audit allow change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ audit allow change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ audit allow change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ audit allow change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ audit allow change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ audit allow change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ audit allow change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ audit allow change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_1.sd
new file mode 100644
index 0000000..c5c19ce
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_2.sd
new file mode 100644
index 0000000..62c86f3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_3.sd
new file mode 100644
index 0000000..918ef5e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_4.sd
new file mode 100644
index 0000000..f5bf482
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_5.sd
new file mode 100644
index 0000000..f64fc15
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_6.sd
new file mode 100644
index 0000000..5d4a069
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> "/bin/foo",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_7.sd
new file mode 100644
index 0000000..5641590
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> "/bin/foo//bar",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_8.sd
new file mode 100644
index 0000000..f78f776
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> ":foo:/bin/foo",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_1.sd
new file mode 100644
index 0000000..a38bdbc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_2.sd
new file mode 100644
index 0000000..62c86f3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_3.sd
new file mode 100644
index 0000000..918ef5e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_4.sd
new file mode 100644
index 0000000..2decefc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_5.sd
new file mode 100644
index 0000000..b6df50f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> *,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_6.sd
new file mode 100644
index 0000000..2c18c5f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_7.sd
new file mode 100644
index 0000000..ddf8140
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+ audit allow owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_8.sd
new file mode 100644
index 0000000..d04f634
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ audit allow owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ad_bare_ok_1.sd
new file mode 100644
index 0000000..26c3872
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_1.sd
new file mode 100644
index 0000000..b6afda1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_2.sd
new file mode 100644
index 0000000..4efadb0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_3.sd
new file mode 100644
index 0000000..0a4f4fe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_4.sd
new file mode 100644
index 0000000..ece6b23
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit deny change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_5.sd
new file mode 100644
index 0000000..a2e4b68
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit deny change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_6.sd
new file mode 100644
index 0000000..c99bce2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_7.sd
new file mode 100644
index 0000000..b89a11c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_8.sd
new file mode 100644
index 0000000..2fdce8f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_1.sd
new file mode 100644
index 0000000..3482539
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_2.sd
new file mode 100644
index 0000000..57f7866
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ audit deny change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_3.sd
new file mode 100644
index 0000000..26b50ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ audit deny change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ audit deny change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_4.sd
new file mode 100644
index 0000000..a3a5e55
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ audit deny change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_5.sd
new file mode 100644
index 0000000..a30b256
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ audit deny change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_6.sd
new file mode 100644
index 0000000..efd84fa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ audit deny change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_7.sd
new file mode 100644
index 0000000..a5bec80
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+ audit deny change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_8.sd
new file mode 100644
index 0000000..6157fe7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+ audit deny change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_1.sd
new file mode 100644
index 0000000..dabb505
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_2.sd
new file mode 100644
index 0000000..0e5bbe6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_3.sd
new file mode 100644
index 0000000..dd99477
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_4.sd
new file mode 100644
index 0000000..6e23389
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_5.sd
new file mode 100644
index 0000000..9b468de
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_6.sd
new file mode 100644
index 0000000..a966f2d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_7.sd
new file mode 100644
index 0000000..d33957f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_8.sd
new file mode 100644
index 0000000..c97874c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ado_bare_bad_1.sd
new file mode 100644
index 0000000..e20ef89
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_1.sd
new file mode 100644
index 0000000..810a5f9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_2.sd
new file mode 100644
index 0000000..0e5bbe6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_3.sd
new file mode 100644
index 0000000..dd99477
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_4.sd
new file mode 100644
index 0000000..3717892
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_5.sd
new file mode 100644
index 0000000..a50e380
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_6.sd
new file mode 100644
index 0000000..01486e8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_7.sd
new file mode 100644
index 0000000..df3d8c9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+ audit deny owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_8.sd
new file mode 100644
index 0000000..cfa26b3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ audit deny owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_1.sd
new file mode 100644
index 0000000..ae9b0f5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_2.sd
new file mode 100644
index 0000000..a6b5bf1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_3.sd
new file mode 100644
index 0000000..63285c4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_4.sd
new file mode 100644
index 0000000..729d291
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ allow change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_5.sd
new file mode 100644
index 0000000..2c7559d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ allow change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_6.sd
new file mode 100644
index 0000000..762ecb3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_7.sd
new file mode 100644
index 0000000..0ba9101
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_8.sd
new file mode 100644
index 0000000..5eaa612
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_1.sd
new file mode 100644
index 0000000..a3ad884
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ allow change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ allow change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_2.sd
new file mode 100644
index 0000000..2512b89
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ allow change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ allow change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ allow change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ allow change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ allow change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ allow change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ allow change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ allow change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ allow change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ allow change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ allow change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ allow change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ allow change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_3.sd
new file mode 100644
index 0000000..986f6f3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ allow change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ allow change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ allow change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ allow change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ allow change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ allow change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ allow change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ allow change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ allow change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ allow change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ allow change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ allow change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ allow change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_4.sd
new file mode 100644
index 0000000..96b2574
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ allow change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ allow change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ allow change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ allow change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ allow change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ allow change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ allow change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ allow change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ allow change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_5.sd
new file mode 100644
index 0000000..00bf678
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION allow change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ allow change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+ allow change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+ allow change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_6.sd
new file mode 100644
index 0000000..f96f578
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ allow change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+ allow change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ allow change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ allow change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+ allow change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+ allow change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+ allow change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ allow change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ allow change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+ allow change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+ allow change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+ allow change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ allow change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_7.sd
new file mode 100644
index 0000000..44388d4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+ allow change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ allow change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ allow change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ allow change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ allow change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ allow change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ allow change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ allow change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ allow change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ allow change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+ allow change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+ allow change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+ allow change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ allow change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_8.sd
new file mode 100644
index 0000000..e445afe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION allow change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+ allow change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ allow change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ allow change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ allow change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ allow change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ allow change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ allow change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ allow change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ allow change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ allow change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_1.sd
new file mode 100644
index 0000000..cf5212f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_2.sd
new file mode 100644
index 0000000..e5c1097
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_3.sd
new file mode 100644
index 0000000..87f4339
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_4.sd
new file mode 100644
index 0000000..e64b222
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_5.sd
new file mode 100644
index 0000000..3495867
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ audit owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_6.sd
new file mode 100644
index 0000000..c4f87d2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_7.sd
new file mode 100644
index 0000000..86d3a29
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_8.sd
new file mode 100644
index 0000000..178879c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ao_bare_bad_1.sd
new file mode 100644
index 0000000..6652785
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_1.sd
new file mode 100644
index 0000000..b437a2d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_2.sd
new file mode 100644
index 0000000..e5c1097
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_3.sd
new file mode 100644
index 0000000..87f4339
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ audit owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_4.sd
new file mode 100644
index 0000000..016d0b2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ audit owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_5.sd
new file mode 100644
index 0000000..f076d90
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ audit owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_6.sd
new file mode 100644
index 0000000..586b78c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ audit owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_7.sd
new file mode 100644
index 0000000..1e4baf9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+ audit owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_8.sd
new file mode 100644
index 0000000..dd86e40
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ audit owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_bare_ok_1.sd
new file mode 100644
index 0000000..1cf8018
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_d_bare_ok_1.sd
new file mode 100644
index 0000000..5323b2e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_1.sd
new file mode 100644
index 0000000..ff6a210
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_2.sd
new file mode 100644
index 0000000..3d6d119
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_3.sd
new file mode 100644
index 0000000..5f78552
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_4.sd
new file mode 100644
index 0000000..10ce711
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ deny change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_5.sd
new file mode 100644
index 0000000..dd15937
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ deny change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_6.sd
new file mode 100644
index 0000000..09d45da
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_7.sd
new file mode 100644
index 0000000..84b1922
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_8.sd
new file mode 100644
index 0000000..2e0c058
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_1.sd
new file mode 100644
index 0000000..4b5efe4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ deny change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ deny change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_2.sd
new file mode 100644
index 0000000..4399e8f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ deny change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ deny change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ deny change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ deny change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ deny change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ deny change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ deny change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ deny change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ deny change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ deny change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ deny change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ deny change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ deny change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_3.sd
new file mode 100644
index 0000000..c16918b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ deny change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ deny change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ deny change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ deny change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ deny change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ deny change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ deny change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ deny change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ deny change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ deny change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ deny change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ deny change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ deny change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_4.sd
new file mode 100644
index 0000000..b0e6955
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ deny change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ deny change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ deny change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ deny change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ deny change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ deny change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ deny change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ deny change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ deny change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_5.sd
new file mode 100644
index 0000000..b885818
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION deny change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ deny change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+ deny change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+ deny change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_6.sd
new file mode 100644
index 0000000..f8e0d63
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ deny change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+ deny change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ deny change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ deny change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+ deny change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+ deny change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+ deny change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ deny change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ deny change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+ deny change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+ deny change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+ deny change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ deny change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_7.sd
new file mode 100644
index 0000000..2e54277
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+ deny change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ deny change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ deny change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ deny change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ deny change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ deny change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ deny change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ deny change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ deny change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ deny change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+ deny change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+ deny change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+ deny change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ deny change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_8.sd
new file mode 100644
index 0000000..790c0ba
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION deny change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+ deny change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ deny change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ deny change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ deny change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ deny change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ deny change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ deny change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ deny change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ deny change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ deny change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_1.sd
new file mode 100644
index 0000000..2a89bd5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_2.sd
new file mode 100644
index 0000000..596558c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_3.sd
new file mode 100644
index 0000000..b4ea08e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_4.sd
new file mode 100644
index 0000000..2a38dbe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ deny audit change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_5.sd
new file mode 100644
index 0000000..bcd53b6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ deny audit change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_6.sd
new file mode 100644
index 0000000..6c5393d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_7.sd
new file mode 100644
index 0000000..60a26d7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_8.sd
new file mode 100644
index 0000000..8635df6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_da_bare_bad_1.sd
new file mode 100644
index 0000000..98c9a33
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_1.sd
new file mode 100644
index 0000000..07a1592
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_2.sd
new file mode 100644
index 0000000..6707a55
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_3.sd
new file mode 100644
index 0000000..4633110
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny audit change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_4.sd
new file mode 100644
index 0000000..24e2f1d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ deny audit change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_5.sd
new file mode 100644
index 0000000..c3eed84
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ deny audit change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_6.sd
new file mode 100644
index 0000000..3c8d008
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ deny audit change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_7.sd
new file mode 100644
index 0000000..a9664f3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+ deny audit change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_8.sd
new file mode 100644
index 0000000..66439f0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ deny audit change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_1.sd
new file mode 100644
index 0000000..3607dc7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_2.sd
new file mode 100644
index 0000000..cce085b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_3.sd
new file mode 100644
index 0000000..fd6d902
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_4.sd
new file mode 100644
index 0000000..226204a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ deny owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_5.sd
new file mode 100644
index 0000000..a78fb5b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ deny owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_6.sd
new file mode 100644
index 0000000..efdef28
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_7.sd
new file mode 100644
index 0000000..7352d4a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_8.sd
new file mode 100644
index 0000000..2a10839
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_do_bare_bad_1.sd
new file mode 100644
index 0000000..89d8567
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_1.sd
new file mode 100644
index 0000000..69c1d74
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_2.sd
new file mode 100644
index 0000000..cce085b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_3.sd
new file mode 100644
index 0000000..fd6d902
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_4.sd
new file mode 100644
index 0000000..05f1630
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ deny owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_5.sd
new file mode 100644
index 0000000..4e757f5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ deny owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_6.sd
new file mode 100644
index 0000000..1884d34
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ deny owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_7.sd
new file mode 100644
index 0000000..9c03a3a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+ deny owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_8.sd
new file mode 100644
index 0000000..0a26b2c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ deny owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_1.sd
new file mode 100644
index 0000000..5b8f32f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_2.sd
new file mode 100644
index 0000000..91722ce
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_3.sd
new file mode 100644
index 0000000..68b84d7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_4.sd
new file mode 100644
index 0000000..53e6408
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_5.sd
new file mode 100644
index 0000000..197f30a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_6.sd
new file mode 100644
index 0000000..d5fae4e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_7.sd
new file mode 100644
index 0000000..83ef001
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_8.sd
new file mode 100644
index 0000000..60b6c1a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_o_bare_bad_1.sd
new file mode 100644
index 0000000..3510a06
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_1.sd
new file mode 100644
index 0000000..eaa660b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_2.sd
new file mode 100644
index 0000000..91722ce
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_3.sd
new file mode 100644
index 0000000..68b84d7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+ owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_4.sd
new file mode 100644
index 0000000..6600c38
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_5.sd
new file mode 100644
index 0000000..f9d63cf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_6.sd
new file mode 100644
index 0000000..1b92a73
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+ owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_7.sd
new file mode 100644
index 0000000..16cd8b3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+ owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_8.sd
new file mode 100644
index 0000000..7ea2ce7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ok_1.sd
new file mode 100644
index 0000000..d51ae1b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_ok_2.sd
new file mode 100644
index 0000000..d24ae10
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_ok_3.sd
new file mode 100644
index 0000000..2d3179e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_ok_4.sd
new file mode 100644
index 0000000..31c2104
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_ok_5.sd
new file mode 100644
index 0000000..3b7d45e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+ change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_ok_6.sd
new file mode 100644
index 0000000..a5fd2d5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_ok_7.sd
new file mode 100644
index 0000000..2b318ca
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_ok_8.sd
new file mode 100644
index 0000000..23b185e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_1.sd
new file mode 100644
index 0000000..1ebfc68
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_2.sd
new file mode 100644
index 0000000..7578203
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_3.sd
new file mode 100644
index 0000000..4d5c054
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_4.sd
new file mode 100644
index 0000000..ebcdbfa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+ change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_5.sd
new file mode 100644
index 0000000..e87a955
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+ change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+ change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+ change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_6.sd
new file mode 100644
index 0000000..31dbafc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+ change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+ change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+ change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+ change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+ change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+ change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+ change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+ change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_7.sd
new file mode 100644
index 0000000..44362fc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+ change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+ change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+ change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+ change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_8.sd
new file mode 100644
index 0000000..bce3aa3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+ change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_a_bare_ok_1.sd
new file mode 100644
index 0000000..ad82ece
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_1.sd
new file mode 100644
index 0000000..bdfb5fd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_2.sd
new file mode 100644
index 0000000..6044b67
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_3.sd
new file mode 100644
index 0000000..a0e5d51
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_4.sd
new file mode 100644
index 0000000..30d1015
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_5.sd
new file mode 100644
index 0000000..0d0448e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_6.sd
new file mode 100644
index 0000000..8d252a5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_7.sd
new file mode 100644
index 0000000..10a3878
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_8.sd
new file mode 100644
index 0000000..34b23dd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_1.sd
new file mode 100644
index 0000000..6b0ed1a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ audit change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ audit change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_2.sd
new file mode 100644
index 0000000..029c75a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION audit change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ audit change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ audit change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ audit change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ audit change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ audit change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ audit change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ audit change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ audit change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ audit change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ audit change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ audit change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ audit change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ audit change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_3.sd
new file mode 100644
index 0000000..4dbbefb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION audit change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ audit change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ audit change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ audit change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ audit change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ audit change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ audit change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ audit change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ audit change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ audit change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ audit change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ audit change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ audit change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ audit change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_4.sd
new file mode 100644
index 0000000..3531560
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION audit change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ audit change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ audit change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ audit change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ audit change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ audit change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ audit change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ audit change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ audit change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_5.sd
new file mode 100644
index 0000000..2b33e1a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION audit change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+ audit change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+ audit change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_6.sd
new file mode 100644
index 0000000..3ec2ded
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+ audit change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ audit change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ audit change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+ audit change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+ audit change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+ audit change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ audit change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ audit change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+ audit change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+ audit change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+ audit change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ audit change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_7.sd
new file mode 100644
index 0000000..71b3788
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ audit change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ audit change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ audit change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ audit change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ audit change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ audit change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ audit change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ audit change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ audit change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ audit change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+ audit change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+ audit change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+ audit change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ audit change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_8.sd
new file mode 100644
index 0000000..592bf30
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION audit change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+ audit change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ audit change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ audit change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ audit change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ audit change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ audit change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ audit change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ audit change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ audit change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ audit change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_1.sd
new file mode 100644
index 0000000..45d29a5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_1.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> /bin/foo,
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_2.sd
new file mode 100644
index 0000000..c8874a7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_3.sd
new file mode 100644
index 0000000..5f87bea
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_4.sd
new file mode 100644
index 0000000..f26f200
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_5.sd
new file mode 100644
index 0000000..80ecf75
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_6.sd
new file mode 100644
index 0000000..6576b2c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_7.sd
new file mode 100644
index 0000000..bd316fa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_8.sd
new file mode 100644
index 0000000..3b3abfa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_1.sd
new file mode 100644
index 0000000..5cc7e34
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_2.sd
new file mode 100644
index 0000000..c8874a7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_3.sd
new file mode 100644
index 0000000..5f87bea
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_4.sd
new file mode 100644
index 0000000..acf2fcb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_5.sd
new file mode 100644
index 0000000..5c904ce
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_6.sd
new file mode 100644
index 0000000..923c89c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_7.sd
new file mode 100644
index 0000000..a6c8984
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ audit allow owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_8.sd
new file mode 100644
index 0000000..ec3a7fe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ audit allow owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_bare_ok_1.sd
new file mode 100644
index 0000000..66f6391
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_1.sd
new file mode 100644
index 0000000..b2da764
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_2.sd
new file mode 100644
index 0000000..78028d6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_3.sd
new file mode 100644
index 0000000..60ea5ec
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_4.sd
new file mode 100644
index 0000000..2d2b3b6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_5.sd
new file mode 100644
index 0000000..faeee80
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_6.sd
new file mode 100644
index 0000000..41b670e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_7.sd
new file mode 100644
index 0000000..cfa8ce9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_8.sd
new file mode 100644
index 0000000..de43c8d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_1.sd
new file mode 100644
index 0000000..9e340ce
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_2.sd
new file mode 100644
index 0000000..f2767fc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ audit deny change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_3.sd
new file mode 100644
index 0000000..0fe239e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ audit deny change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_4.sd
new file mode 100644
index 0000000..1037f01
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_5.sd
new file mode 100644
index 0000000..88dc5b5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_6.sd
new file mode 100644
index 0000000..ab287b1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_7.sd
new file mode 100644
index 0000000..3b8e70c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ audit deny change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ audit deny change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ audit deny change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ audit deny change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_8.sd
new file mode 100644
index 0000000..6e039d0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+ audit deny change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ audit deny change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ audit deny change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ audit deny change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ audit deny change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ audit deny change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ audit deny change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ audit deny change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ audit deny change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ audit deny change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_1.sd
new file mode 100644
index 0000000..9982355
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_2.sd
new file mode 100644
index 0000000..540cb65
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_3.sd
new file mode 100644
index 0000000..714eabd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_4.sd
new file mode 100644
index 0000000..2c5eb03
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_5.sd
new file mode 100644
index 0000000..def2907
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_6.sd
new file mode 100644
index 0000000..804d973
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_7.sd
new file mode 100644
index 0000000..1fe8ccc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_8.sd
new file mode 100644
index 0000000..cb4dfb7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bare_bad_1.sd
new file mode 100644
index 0000000..4869019
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_1.sd
new file mode 100644
index 0000000..fbc7947
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_2.sd
new file mode 100644
index 0000000..540cb65
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_3.sd
new file mode 100644
index 0000000..714eabd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_4.sd
new file mode 100644
index 0000000..712eeaf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_5.sd
new file mode 100644
index 0000000..8bcc07b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_6.sd
new file mode 100644
index 0000000..05641e8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_7.sd
new file mode 100644
index 0000000..a8ca795
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ audit deny owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_8.sd
new file mode 100644
index 0000000..14f801d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ audit deny owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_1.sd
new file mode 100644
index 0000000..5558d09
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION allow change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_2.sd
new file mode 100644
index 0000000..4d609c8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION allow change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_3.sd
new file mode 100644
index 0000000..5f08c95
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION allow change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_4.sd
new file mode 100644
index 0000000..03e6a55
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_5.sd
new file mode 100644
index 0000000..6268054
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_6.sd
new file mode 100644
index 0000000..6834700
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION allow change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_7.sd
new file mode 100644
index 0000000..152c1e1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION allow change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_8.sd
new file mode 100644
index 0000000..d17857d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION allow change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_1.sd
new file mode 100644
index 0000000..6c20308
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION allow change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ allow change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ allow change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_2.sd
new file mode 100644
index 0000000..0f79b51
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION allow change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ allow change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ allow change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ allow change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ allow change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ allow change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ allow change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ allow change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ allow change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ allow change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ allow change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ allow change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ allow change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ allow change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_3.sd
new file mode 100644
index 0000000..c0efad1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION allow change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ allow change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ allow change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ allow change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ allow change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ allow change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ allow change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ allow change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ allow change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ allow change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ allow change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ allow change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ allow change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ allow change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_4.sd
new file mode 100644
index 0000000..1b15eab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION allow change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ allow change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ allow change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ allow change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ allow change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ allow change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ allow change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ allow change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ allow change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_5.sd
new file mode 100644
index 0000000..4582068
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION allow change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+ allow change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+ allow change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_6.sd
new file mode 100644
index 0000000..a22a4d3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION allow change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+ allow change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ allow change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ allow change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+ allow change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+ allow change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+ allow change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ allow change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ allow change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+ allow change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+ allow change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+ allow change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ allow change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_7.sd
new file mode 100644
index 0000000..9e625b3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION allow change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ allow change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ allow change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ allow change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ allow change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ allow change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ allow change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ allow change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ allow change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ allow change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ allow change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+ allow change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+ allow change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+ allow change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ allow change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_8.sd
new file mode 100644
index 0000000..577c6f5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION allow change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+ allow change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ allow change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ allow change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ allow change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ allow change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ allow change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ allow change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ allow change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ allow change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ allow change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_1.sd
new file mode 100644
index 0000000..d34b051
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_2.sd
new file mode 100644
index 0000000..e874142
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_3.sd
new file mode 100644
index 0000000..b83addc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_4.sd
new file mode 100644
index 0000000..e04e3ec
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_5.sd
new file mode 100644
index 0000000..6f3abfe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_6.sd
new file mode 100644
index 0000000..5d80b08
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_7.sd
new file mode 100644
index 0000000..f8e1e32
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_8.sd
new file mode 100644
index 0000000..3adbe1d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bare_bad_1.sd
new file mode 100644
index 0000000..9431b18
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_1.sd
new file mode 100644
index 0000000..d58d557
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_2.sd
new file mode 100644
index 0000000..e874142
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_3.sd
new file mode 100644
index 0000000..b83addc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_4.sd
new file mode 100644
index 0000000..a4794d0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_5.sd
new file mode 100644
index 0000000..15474aa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_6.sd
new file mode 100644
index 0000000..da1546d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_7.sd
new file mode 100644
index 0000000..b13e8ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ audit owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_8.sd
new file mode 100644
index 0000000..7f3bc78
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ audit owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_bare_ok_1.sd
new file mode 100644
index 0000000..d510a9c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_d_bare_ok_1.sd
new file mode 100644
index 0000000..d9fe63a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_1.sd
new file mode 100644
index 0000000..1dbbd25
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_2.sd
new file mode 100644
index 0000000..89bae60
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_3.sd
new file mode 100644
index 0000000..c1707ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_4.sd
new file mode 100644
index 0000000..9f13bee
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_5.sd
new file mode 100644
index 0000000..add3b51
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_6.sd
new file mode 100644
index 0000000..32b7ad5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_7.sd
new file mode 100644
index 0000000..ff76f0e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_8.sd
new file mode 100644
index 0000000..1ba4854
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_1.sd
new file mode 100644
index 0000000..6bc441d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ deny change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ deny change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_2.sd
new file mode 100644
index 0000000..8d2008b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ deny change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ deny change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ deny change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ deny change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ deny change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ deny change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ deny change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ deny change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ deny change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ deny change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ deny change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ deny change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ deny change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_3.sd
new file mode 100644
index 0000000..c5a0e6b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ deny change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ deny change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ deny change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ deny change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ deny change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ deny change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ deny change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ deny change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ deny change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ deny change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ deny change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ deny change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ deny change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_4.sd
new file mode 100644
index 0000000..75ebc61
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ deny change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ deny change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ deny change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ deny change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ deny change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ deny change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ deny change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ deny change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_5.sd
new file mode 100644
index 0000000..be35cad
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION deny change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+ deny change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+ deny change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_6.sd
new file mode 100644
index 0000000..54d3f8c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION deny change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+ deny change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ deny change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ deny change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+ deny change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+ deny change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+ deny change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ deny change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ deny change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+ deny change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+ deny change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+ deny change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ deny change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_7.sd
new file mode 100644
index 0000000..29a34c8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION deny change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ deny change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ deny change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ deny change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ deny change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ deny change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ deny change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ deny change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ deny change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ deny change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ deny change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+ deny change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+ deny change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+ deny change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ deny change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_8.sd
new file mode 100644
index 0000000..94c9192
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION deny change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+ deny change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ deny change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ deny change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ deny change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ deny change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ deny change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ deny change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ deny change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ deny change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ deny change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_1.sd
new file mode 100644
index 0000000..9fd49f8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_2.sd
new file mode 100644
index 0000000..6f30953
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_3.sd
new file mode 100644
index 0000000..1db2795
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_4.sd
new file mode 100644
index 0000000..e85d3bd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_5.sd
new file mode 100644
index 0000000..a376567
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_6.sd
new file mode 100644
index 0000000..b8f3a8a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_7.sd
new file mode 100644
index 0000000..1247deb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_8.sd
new file mode 100644
index 0000000..0f243e0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bare_bad_1.sd
new file mode 100644
index 0000000..e60f05c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_1.sd
new file mode 100644
index 0000000..35e88d4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_1.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> /bin/*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_2.sd
new file mode 100644
index 0000000..6f30953
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_3.sd
new file mode 100644
index 0000000..1db2795
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_4.sd
new file mode 100644
index 0000000..1fe9847
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_5.sd
new file mode 100644
index 0000000..c924fff
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_6.sd
new file mode 100644
index 0000000..b43b7a1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_7.sd
new file mode 100644
index 0000000..209bae6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ deny audit change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_8.sd
new file mode 100644
index 0000000..1c9abf1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ deny audit change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_1.sd
new file mode 100644
index 0000000..b5c7aa1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_2.sd
new file mode 100644
index 0000000..b9698b0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_3.sd
new file mode 100644
index 0000000..1817d03
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_4.sd
new file mode 100644
index 0000000..80b5993
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_5.sd
new file mode 100644
index 0000000..4f15f19
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_6.sd
new file mode 100644
index 0000000..9992c38
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_7.sd
new file mode 100644
index 0000000..198a3e4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_8.sd
new file mode 100644
index 0000000..6bfce7c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bare_bad_1.sd
new file mode 100644
index 0000000..647d128
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_1.sd
new file mode 100644
index 0000000..4c26beb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_2.sd
new file mode 100644
index 0000000..b9698b0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_3.sd
new file mode 100644
index 0000000..1817d03
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_4.sd
new file mode 100644
index 0000000..e64ba00
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_5.sd
new file mode 100644
index 0000000..21999c2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_6.sd
new file mode 100644
index 0000000..0b77c8e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_7.sd
new file mode 100644
index 0000000..a6ca518
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ deny owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_8.sd
new file mode 100644
index 0000000..3a78dfc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ deny owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_1.sd
new file mode 100644
index 0000000..083e0c4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_2.sd
new file mode 100644
index 0000000..c93cdb0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_3.sd
new file mode 100644
index 0000000..b95da0e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_4.sd
new file mode 100644
index 0000000..e5c903a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_5.sd
new file mode 100644
index 0000000..79565e8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_6.sd
new file mode 100644
index 0000000..437ff6d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_7.sd
new file mode 100644
index 0000000..bfbefaa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_8.sd
new file mode 100644
index 0000000..e98b8b8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bare_bad_1.sd
new file mode 100644
index 0000000..7252670
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_1.sd
new file mode 100644
index 0000000..d699e5c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_2.sd
new file mode 100644
index 0000000..c93cdb0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_3.sd
new file mode 100644
index 0000000..b95da0e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_4.sd
new file mode 100644
index 0000000..0b62411
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_5.sd
new file mode 100644
index 0000000..5cd70d0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_6.sd
new file mode 100644
index 0000000..9642418
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_7.sd
new file mode 100644
index 0000000..6d84fda
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_8.sd
new file mode 100644
index 0000000..8d4f32e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+ owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_1.sd
new file mode 100644
index 0000000..87a1e94
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_2.sd
new file mode 100644
index 0000000..d70c751
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_3.sd
new file mode 100644
index 0000000..c4bc9af
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_4.sd
new file mode 100644
index 0000000..babb093
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_5.sd
new file mode 100644
index 0000000..f984147
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_6.sd
new file mode 100644
index 0000000..af14894
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_7.sd
new file mode 100644
index 0000000..9492131
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_8.sd
new file mode 100644
index 0000000..797398a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_1.sd
new file mode 100644
index 0000000..7c103cc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+ change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+ change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+ change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_2.sd
new file mode 100644
index 0000000..09e48e7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+ change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+ change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+ change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+ change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+ change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+ change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+ change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+ change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+ change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+ change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+ change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+ change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+ change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+ change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_3.sd
new file mode 100644
index 0000000..44e38cd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+ change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+ change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+ change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+ change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+ change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+ change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+ change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+ change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+ change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+ change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+ change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+ change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+ change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+ change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_4.sd
new file mode 100644
index 0000000..99f2462
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+ change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+ change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+ change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+ change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+ change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+ change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+ change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+ change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+ change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_5.sd
new file mode 100644
index 0000000..40d1d5b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+ change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+ change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+ change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_6.sd
new file mode 100644
index 0000000..ca4590e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+ change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+ change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+ change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+ change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+ change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+ change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+ change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+ change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+ change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+ change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+ change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+ change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+ change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_7.sd
new file mode 100644
index 0000000..7d7cdfd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+ change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+ change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+ change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+ change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+ change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+ change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+ change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+ change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+ change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+ change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+ change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+ change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+ change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+ change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+ change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_8.sd
new file mode 100644
index 0000000..33eb727
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+ change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+ change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+ change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+ change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+ change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+ change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+ change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+ change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+ change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+ change_profile @{var} -> "/bin/ ?ab",
+}
+
More information about the AppArmor
mailing list