[apparmor] [PATCH 13/20] add support for rule prefixes to change_profile rules
Christian Boltz
apparmor at cboltz.de
Fri May 29 20:46:18 UTC 2015
Hello,
this patch comes with an impressive set of tests :-)
However...
Am Freitag, 29. Mai 2015 schrieb John Johansen:
...
> parser/tst/simple_tests/change_profile/aa_ok_1.sd | 0
> parser/tst/simple_tests/change_profile/aa_ok_2.sd | 0
> parser/tst/simple_tests/change_profile/aa_ok_3.sd | 0
> parser/tst/simple_tests/change_profile/aa_ok_4.sd | 0
> parser/tst/simple_tests/change_profile/aa_ok_5.sd | 0
> parser/tst/simple_tests/change_profile/aa_ok_6.sd | 0
> parser/tst/simple_tests/change_profile/aa_ok_7.sd | 0
> parser/tst/simple_tests/change_profile/aa_ok_8.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_1.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_2.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_3.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_4.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_5.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_6.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_7.sd | 0
> .../tst/simple_tests/change_profile/aa_re_ok_8.sd | 0
These files are empty - I doubt this is intentional...
> .../tst/simple_tests/change_profile/allowo_ok_1.sd | 0
> .../tst/simple_tests/change_profile/allowo_ok_2.sd | 0
> .../tst/simple_tests/change_profile/allowo_ok_3.sd | 0
> .../tst/simple_tests/change_profile/allowo_ok_4.sd | 0
> .../tst/simple_tests/change_profile/allowo_ok_5.sd | 0
> .../tst/simple_tests/change_profile/allowo_ok_6.sd | 0
> .../tst/simple_tests/change_profile/allowo_ok_7.sd | 0
> .../tst/simple_tests/change_profile/allowo_ok_8.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_1.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_2.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_3.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_4.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_5.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_6.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_7.sd | 0
> .../simple_tests/change_profile/allowo_re_ok_8.sd | 0
Some more empty files.
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile
> +#=EXRESULT FAIL
For FAIL, it would be nice to have an explanation in DESCRIPTION why the
test is expected to fail. (" 'owner' not allowed" in this case)
That's something I'd like to see in all FAILing tests, even if I don't
mention it individually.
> +/usr/bin/foo {
> + audit allow owner change_profile -> /bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_ok_2.sd
> b/parser/tst/simple_tests/change_profile/aao_ok_2.sd new file mode
> 100644
> index 0000000..89d68b5
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> /bin/foo//bar,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_ok_3.sd
> b/parser/tst/simple_tests/change_profile/aao_ok_3.sd new file mode
> 100644
> index 0000000..f620937
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> :foo:/bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_ok_4.sd
> b/parser/tst/simple_tests/change_profile/aao_ok_4.sd new file mode
> 100644
> index 0000000..59e58d5
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_4.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with a variable (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + audit allow owner change_profile -> @{LIBVIRT}-foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_ok_5.sd
> b/parser/tst/simple_tests/change_profile/aao_ok_5.sd new file mode
> 100644
> index 0000000..2ddb9c4
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_5.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with variable+regex
> (LP: #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + audit allow owner change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_ok_6.sd
> b/parser/tst/simple_tests/change_profile/aao_ok_6.sd new file mode
> 100644
> index 0000000..58770fa
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> "/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> "/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_ok_7.sd
> b/parser/tst/simple_tests/change_profile/aao_ok_7.sd new file mode
> 100644
> index 0000000..1566725
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_7.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile to a hat with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> "/bin/foo//bar",
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> "/bin/foo// bar",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_ok_8.sd
> b/parser/tst/simple_tests/change_profile/aao_ok_8.sd new file mode
> 100644
> index 0000000..66db987
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_ok_8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with name space with
> quotes +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> ":foo:/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> ":foo:/bin/ foo",
> +}
EXRESULT FAIL doesn't match the *_ok_* filename - please rename those
files to *_bad_*.
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_1.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_1.sd new file mode
> 100644
> index 0000000..21ff4a2
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_1.sd
> @@ -0,0 +1,24 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> /bin/*,
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> /bin/**,
> +}
> +
> +/usr/bin/foo3 {
> + audit allow owner change_profile -> /bin/?,
> +}
> +
> +/usr/bin/foo4 {
> + audit allow owner change_profile -> /bin/[ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> /bin/[^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_2.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_2.sd new file mode
> 100644
> index 0000000..2ca6463
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_2.sd
> @@ -0,0 +1,69 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> /bin/foo//bar,
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> /bin/foo//ba*,
> +}
> +
> +/usr/bin/foo3 {
> + audit allow owner change_profile -> /bin/foo//ba**,
> +}
> +
> +/usr/bin/foo4 {
> + audit allow owner change_profile -> /bin/foo//ba?,
> +}
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> /bin/foo//ba[ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit allow owner change_profile -> /bin/foo//ba[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + audit allow owner change_profile -> /bin/fo*//bar,
> +}
> +
> +/usr/bin/foo8 {
> + audit allow owner change_profile -> /bin/fo**//bar,
> +}
> +
> +/usr/bin/foo9 {
> + audit allow owner change_profile -> /bin/fo?//bar,
> +}
> +
> +/usr/bin/foo10 {
> + audit allow owner change_profile -> /bin/fo[ab]//bar,
> +}
> +
> +/usr/bin/foo11 {
> + audit allow owner change_profile -> /bin/fo[^ab]//bar,
> +}
> +
> +/usr/bin/foo12 {
> + audit allow owner change_profile -> /bin/fo*//ba*,
> +}
> +
> +/usr/bin/foo13 {
> + audit allow owner change_profile -> /bin/fo**//ba**,
> +}
> +
> +/usr/bin/foo14 {
> + audit allow owner change_profile -> /bin/fo?//ba?,
> +}
> +
> +/usr/bin/foo15 {
> + audit allow owner change_profile -> /bin/fo[ab]//ba[ab],
> +}
> +
> +/usr/bin/foo16 {
> + audit allow owner change_profile -> /bin/fo[^ab]//ba[^ab],
> +}
> +
> +
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_3.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_3.sd new file mode
> 100644
> index 0000000..8ce339f
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_3.sd
> @@ -0,0 +1,67 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit allow owner change_profile -> :foo:/bin/foo,
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> :foo:/bin/fo*,
> +}
> +
> +/usr/bin/foo3 {
> + audit allow owner change_profile -> :foo:/bin/fo**,
> +}
> +
> +/usr/bin/foo4 {
> + audit allow owner change_profile -> :foo:/bin/fo?,
> +}
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> :foo:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit allow owner change_profile -> :foo:/bin/fo[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + audit allow owner change_profile -> :fo*:/bin/foo,
> +}
> +
> +/usr/bin/foo8 {
> + audit allow owner change_profile -> :fo**:/bin/foo,
> +}
> +
> +/usr/bin/foo9 {
> + audit allow owner change_profile -> :fo?:/bin/foo,
> +}
> +
> +/usr/bin/foo10 {
> + audit allow owner change_profile -> :fo[ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo11 {
> + audit allow owner change_profile -> :fo[^ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo12 {
> + audit allow owner change_profile -> :fo*:/bin/fo*,
> +}
> +
> +/usr/bin/foo13 {
> + audit allow owner change_profile -> :fo**:/bin/fo**,
> +}
> +
> +/usr/bin/foo14 {
> + audit allow owner change_profile -> :fo?:/bin/fo?,
> +}
> +
> +/usr/bin/foo15 {
> + audit allow owner change_profile -> :fo[ab]:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo16 {
> + audit allow owner change_profile -> :fo[^ab]:/bin/fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_4.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_4.sd new file mode
> 100644
> index 0000000..828d1f9
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_4.sd
> @@ -0,0 +1,51 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with a variable (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +@{LIBVIRT_RE}="libvirt*"
> +
> +/usr/bin/foo {
> + audit allow owner change_profile -> @{LIBVIRT}-fo*,
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> @{LIBVIRT}-fo**,
> +}
> +
> +/usr/bin/foo3 {
> + audit allow owner change_profile -> @{LIBVIRT}-fo[ab],
> +}
> +
> +/usr/bin/foo4 {
> + audit allow owner change_profile -> @{LIBVIRT}-fo[^ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> @{LIBVIRT}-fo?,
> +}
> +
> +/usr/bin/foo6 {
> + audit allow owner change_profile -> @{LIBVIRT_RE}-foo,
> +}
> +
> +/usr/bin/foo7 {
> + audit allow owner change_profile -> @{LIBVIRT_RE}-fo*,
> +}
> +
> +/usr/bin/foo8 {
> + audit allow owner change_profile -> @{LIBVIRT_RE}-fo**,
> +}
> +
> +/usr/bin/foo9 {
> + audit allow owner change_profile -> @{LIBVIRT_RE}-fo?,
> +}
> +
> +/usr/bin/foo10 {
> + audit allow owner change_profile -> @{LIBVIRT_RE}-fo[ab],
> +}
> +
> +/usr/bin/foo11 {
> + audit allow owner change_profile -> @{LIBVIRT_RE}-fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_5.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_5.sd new file mode
> 100644
> index 0000000..0d9b919
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_5.sd
> @@ -0,0 +1,25 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with just res
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + audit allow owner change_profile -> *,
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> **,
> +}
> +
> +/usr/bin/foo3 {
> + audit allow owner change_profile -> ?,
> +}
> +
> +/usr/bin/foo4 {
> + audit allow owner change_profile -> [ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> [^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_6.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_6.sd new file mode
> 100644
> index 0000000..612da29
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_6.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with just res, child
> profile +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + audit allow owner change_profile -> *//ab,
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> **//ab,
> +}
> +
> +/usr/bin/foo3 {
> + audit allow owner change_profile -> ?//ab,
> +}
> +
> +/usr/bin/foo4 {
> + audit allow owner change_profile -> [ab]//ab,
> +}
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> [^ab]//ab,
> +}
> +
> +/usr/bin/foo6 {
> + audit allow owner change_profile -> ab//*,
> +}
> +
> +/usr/bin/foo7 {
> + audit allow owner change_profile -> ab//**,
> +}
> +
> +/usr/bin/foo8 {
> + audit allow owner change_profile -> ab//?,
> +}
> +
> +/usr/bin/foo9 {
> + audit allow owner change_profile -> ab//[ab],
> +}
> +
> +/usr/bin/foo10 {
> + audit allow owner change_profile -> ab//[^ab],
> +}
> +
> +/usr/bin/foo11 {
> + audit allow owner change_profile -> *//*,
> +}
> +
> +/usr/bin/foo12 {
> + audit allow owner change_profile -> **//*,
> +}
> +
> +/usr/bin/foo13 {
> + audit allow owner change_profile -> ?//*,
> +}
> +
> +/usr/bin/foo14 {
> + audit allow owner change_profile -> [ab]//*,
> +}
> +
> +/usr/bin/foo15 {
> + audit allow owner change_profile -> [^ab]//*,
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_7.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_7.sd new file mode
> 100644
> index 0000000..c1b900d
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_7.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile with just re,
> namespace +#=EXRESULT FAIL
> +#
> +
> +
> +/usr/bin/foo {
> + audit allow owner change_profile -> :ab:*,
> +}
> +
> +/usr/bin/foo2 {
> + audit allow owner change_profile -> :ab:**,
> +}
> +
> +/usr/bin/foo3 {
> + audit allow owner change_profile -> :ab:?,
> +}
> +
> +/usr/bin/foo4 {
> + audit allow owner change_profile -> :ab:[ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> :ab:[^ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit allow owner change_profile -> :*:ab,
> +}
> +
> +/usr/bin/foo7 {
> + audit allow owner change_profile -> :**:ab,
> +}
> +
> +/usr/bin/foo8 {
> + audit allow owner change_profile -> :?:ab,
> +}
> +
> +/usr/bin/foo9 {
> + audit allow owner change_profile -> :[ab]:ab,
> +}
> +
> +/usr/bin/foo10 {
> + audit allow owner change_profile -> :[^ab]:ab,
> +}
> +
> +/usr/bin/foo11 {
> + audit allow owner change_profile -> :*:*,
> +}
> +
> +/usr/bin/foo12 {
> + audit allow owner change_profile -> :**:**,
> +}
> +
> +/usr/bin/foo13 {
> + audit allow owner change_profile -> :?:?,
> +}
> +
> +/usr/bin/foo14 {
> + audit allow owner change_profile -> :[ab]:[ab],
> +}
> +
> +/usr/bin/foo15 {
> + audit allow owner change_profile -> :[^ab]:[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/aao_re_ok_8.sd
> b/parser/tst/simple_tests/change_profile/aao_re_ok_8.sd new file mode
> 100644
> index 0000000..741002d
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/aao_re_ok_8.sd
> @@ -0,0 +1,45 @@
> +#
> +#=DESCRIPTION audit allow owner change_profile re with quotes
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo5 {
> + audit allow owner change_profile -> "/bin/*",
> +}
> +
> +/usr/bin/foo6 {
> + audit allow owner change_profile -> "/bin/**",
> +}
> +
> +/usr/bin/foo7 {
> + audit allow owner change_profile -> "/bin/[ab]",
> +}
> +
> +/usr/bin/foo8 {
> + audit allow owner change_profile -> "/bin/[^ab]",
> +}
> +
> +/usr/bin/foo10 {
> + audit allow owner change_profile -> "/bin/?ab",
> +}
> +
> +/usr/bin/foo11 {
> + audit allow owner change_profile -> "/bin/ *",
> +}
> +
> +/usr/bin/foo12 {
> + audit allow owner change_profile -> "/bin/ **",
> +}
> +
> +/usr/bin/foo13 {
> + audit allow owner change_profile -> "/bin/ [ab]",
> +}
> +
> +/usr/bin/foo14 {
> + audit allow owner change_profile -> "/bin/ [^ab]",
> +}
> +
> +/usr/bin/foo15 {
> + audit allow owner change_profile -> "/bin/ ?ab",
> +}
> +
Please split those files into multiple files so that we only have one
failure per file - otherwise bugs could go unnoticed as long as at least
one of the test profiles in the file fails.
Also, use *_bad_* filenames.
...
> diff --git a/parser/tst/simple_tests/change_profile/ado_bare_ok_1.sd
> b/parser/tst/simple_tests/change_profile/ado_bare_ok_1.sd new file
> mode 100644
> index 0000000..2d5a7ca
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_bare_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_1.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_1.sd new file mode
> 100644
> index 0000000..5546aef
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> /bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_2.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_2.sd new file mode
> 100644
> index 0000000..c2ac041
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> /bin/foo//bar,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_3.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_3.sd new file mode
> 100644
> index 0000000..4e07e98
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> :foo:/bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_4.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_4.sd new file mode
> 100644
> index 0000000..151494f
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_4.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with a variable (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + audit deny owner change_profile -> @{LIBVIRT}-foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_5.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_5.sd new file mode
> 100644
> index 0000000..f912b8f
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_5.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with variable+regex
> (LP: #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + audit deny owner change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_6.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_6.sd new file mode
> 100644
> index 0000000..7feee12
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> "/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> "/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_7.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_7.sd new file mode
> 100644
> index 0000000..403b7bb
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_7.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile to a hat with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> "/bin/foo//bar",
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> "/bin/foo// bar",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_ok_8.sd
> b/parser/tst/simple_tests/change_profile/ado_ok_8.sd new file mode
> 100644
> index 0000000..2c5ebaa
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_ok_8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with name space with
> quotes +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> ":foo:/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> ":foo:/bin/ foo",
> +}
Please rename those FAILing tests to *_bad_*.
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_1.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_1.sd new file mode
> 100644
> index 0000000..a1b5c77
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_1.sd
> @@ -0,0 +1,24 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> /bin/*,
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> /bin/**,
> +}
> +
> +/usr/bin/foo3 {
> + audit deny owner change_profile -> /bin/?,
> +}
> +
> +/usr/bin/foo4 {
> + audit deny owner change_profile -> /bin/[ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> /bin/[^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_2.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_2.sd new file mode
> 100644
> index 0000000..243ec1b
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_2.sd
> @@ -0,0 +1,69 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> /bin/foo//bar,
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> /bin/foo//ba*,
> +}
> +
> +/usr/bin/foo3 {
> + audit deny owner change_profile -> /bin/foo//ba**,
> +}
> +
> +/usr/bin/foo4 {
> + audit deny owner change_profile -> /bin/foo//ba?,
> +}
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> /bin/foo//ba[ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit deny owner change_profile -> /bin/foo//ba[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + audit deny owner change_profile -> /bin/fo*//bar,
> +}
> +
> +/usr/bin/foo8 {
> + audit deny owner change_profile -> /bin/fo**//bar,
> +}
> +
> +/usr/bin/foo9 {
> + audit deny owner change_profile -> /bin/fo?//bar,
> +}
> +
> +/usr/bin/foo10 {
> + audit deny owner change_profile -> /bin/fo[ab]//bar,
> +}
> +
> +/usr/bin/foo11 {
> + audit deny owner change_profile -> /bin/fo[^ab]//bar,
> +}
> +
> +/usr/bin/foo12 {
> + audit deny owner change_profile -> /bin/fo*//ba*,
> +}
> +
> +/usr/bin/foo13 {
> + audit deny owner change_profile -> /bin/fo**//ba**,
> +}
> +
> +/usr/bin/foo14 {
> + audit deny owner change_profile -> /bin/fo?//ba?,
> +}
> +
> +/usr/bin/foo15 {
> + audit deny owner change_profile -> /bin/fo[ab]//ba[ab],
> +}
> +
> +/usr/bin/foo16 {
> + audit deny owner change_profile -> /bin/fo[^ab]//ba[^ab],
> +}
> +
> +
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_3.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_3.sd new file mode
> 100644
> index 0000000..23fc9d9
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_3.sd
> @@ -0,0 +1,67 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit deny owner change_profile -> :foo:/bin/foo,
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> :foo:/bin/fo*,
> +}
> +
> +/usr/bin/foo3 {
> + audit deny owner change_profile -> :foo:/bin/fo**,
> +}
> +
> +/usr/bin/foo4 {
> + audit deny owner change_profile -> :foo:/bin/fo?,
> +}
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> :foo:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit deny owner change_profile -> :foo:/bin/fo[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + audit deny owner change_profile -> :fo*:/bin/foo,
> +}
> +
> +/usr/bin/foo8 {
> + audit deny owner change_profile -> :fo**:/bin/foo,
> +}
> +
> +/usr/bin/foo9 {
> + audit deny owner change_profile -> :fo?:/bin/foo,
> +}
> +
> +/usr/bin/foo10 {
> + audit deny owner change_profile -> :fo[ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo11 {
> + audit deny owner change_profile -> :fo[^ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo12 {
> + audit deny owner change_profile -> :fo*:/bin/fo*,
> +}
> +
> +/usr/bin/foo13 {
> + audit deny owner change_profile -> :fo**:/bin/fo**,
> +}
> +
> +/usr/bin/foo14 {
> + audit deny owner change_profile -> :fo?:/bin/fo?,
> +}
> +
> +/usr/bin/foo15 {
> + audit deny owner change_profile -> :fo[ab]:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo16 {
> + audit deny owner change_profile -> :fo[^ab]:/bin/fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_4.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_4.sd new file mode
> 100644
> index 0000000..94317f1
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_4.sd
> @@ -0,0 +1,51 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with a variable (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +@{LIBVIRT_RE}="libvirt*"
> +
> +/usr/bin/foo {
> + audit deny owner change_profile -> @{LIBVIRT}-fo*,
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> @{LIBVIRT}-fo**,
> +}
> +
> +/usr/bin/foo3 {
> + audit deny owner change_profile -> @{LIBVIRT}-fo[ab],
> +}
> +
> +/usr/bin/foo4 {
> + audit deny owner change_profile -> @{LIBVIRT}-fo[^ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> @{LIBVIRT}-fo?,
> +}
> +
> +/usr/bin/foo6 {
> + audit deny owner change_profile -> @{LIBVIRT_RE}-foo,
> +}
> +
> +/usr/bin/foo7 {
> + audit deny owner change_profile -> @{LIBVIRT_RE}-fo*,
> +}
> +
> +/usr/bin/foo8 {
> + audit deny owner change_profile -> @{LIBVIRT_RE}-fo**,
> +}
> +
> +/usr/bin/foo9 {
> + audit deny owner change_profile -> @{LIBVIRT_RE}-fo?,
> +}
> +
> +/usr/bin/foo10 {
> + audit deny owner change_profile -> @{LIBVIRT_RE}-fo[ab],
> +}
> +
> +/usr/bin/foo11 {
> + audit deny owner change_profile -> @{LIBVIRT_RE}-fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_5.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_5.sd new file mode
> 100644
> index 0000000..5be81f3
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_5.sd
> @@ -0,0 +1,25 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with just res
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + audit deny owner change_profile -> *,
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> **,
> +}
> +
> +/usr/bin/foo3 {
> + audit deny owner change_profile -> ?,
> +}
> +
> +/usr/bin/foo4 {
> + audit deny owner change_profile -> [ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> [^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_6.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_6.sd new file mode
> 100644
> index 0000000..632dc47
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_6.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with just res, child
> profile +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + audit deny owner change_profile -> *//ab,
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> **//ab,
> +}
> +
> +/usr/bin/foo3 {
> + audit deny owner change_profile -> ?//ab,
> +}
> +
> +/usr/bin/foo4 {
> + audit deny owner change_profile -> [ab]//ab,
> +}
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> [^ab]//ab,
> +}
> +
> +/usr/bin/foo6 {
> + audit deny owner change_profile -> ab//*,
> +}
> +
> +/usr/bin/foo7 {
> + audit deny owner change_profile -> ab//**,
> +}
> +
> +/usr/bin/foo8 {
> + audit deny owner change_profile -> ab//?,
> +}
> +
> +/usr/bin/foo9 {
> + audit deny owner change_profile -> ab//[ab],
> +}
> +
> +/usr/bin/foo10 {
> + audit deny owner change_profile -> ab//[^ab],
> +}
> +
> +/usr/bin/foo11 {
> + audit deny owner change_profile -> *//*,
> +}
> +
> +/usr/bin/foo12 {
> + audit deny owner change_profile -> **//*,
> +}
> +
> +/usr/bin/foo13 {
> + audit deny owner change_profile -> ?//*,
> +}
> +
> +/usr/bin/foo14 {
> + audit deny owner change_profile -> [ab]//*,
> +}
> +
> +/usr/bin/foo15 {
> + audit deny owner change_profile -> [^ab]//*,
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_7.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_7.sd new file mode
> 100644
> index 0000000..66fa797
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_7.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile with just re, namespace
> +#=EXRESULT FAIL
> +#
> +
> +
> +/usr/bin/foo {
> + audit deny owner change_profile -> :ab:*,
> +}
> +
> +/usr/bin/foo2 {
> + audit deny owner change_profile -> :ab:**,
> +}
> +
> +/usr/bin/foo3 {
> + audit deny owner change_profile -> :ab:?,
> +}
> +
> +/usr/bin/foo4 {
> + audit deny owner change_profile -> :ab:[ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> :ab:[^ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit deny owner change_profile -> :*:ab,
> +}
> +
> +/usr/bin/foo7 {
> + audit deny owner change_profile -> :**:ab,
> +}
> +
> +/usr/bin/foo8 {
> + audit deny owner change_profile -> :?:ab,
> +}
> +
> +/usr/bin/foo9 {
> + audit deny owner change_profile -> :[ab]:ab,
> +}
> +
> +/usr/bin/foo10 {
> + audit deny owner change_profile -> :[^ab]:ab,
> +}
> +
> +/usr/bin/foo11 {
> + audit deny owner change_profile -> :*:*,
> +}
> +
> +/usr/bin/foo12 {
> + audit deny owner change_profile -> :**:**,
> +}
> +
> +/usr/bin/foo13 {
> + audit deny owner change_profile -> :?:?,
> +}
> +
> +/usr/bin/foo14 {
> + audit deny owner change_profile -> :[ab]:[ab],
> +}
> +
> +/usr/bin/foo15 {
> + audit deny owner change_profile -> :[^ab]:[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ado_re_ok_8.sd
> b/parser/tst/simple_tests/change_profile/ado_re_ok_8.sd new file mode
> 100644
> index 0000000..7ab3677
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ado_re_ok_8.sd
> @@ -0,0 +1,45 @@
> +#
> +#=DESCRIPTION audit deny owner change_profile re with quotes
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo5 {
> + audit deny owner change_profile -> "/bin/*",
> +}
> +
> +/usr/bin/foo6 {
> + audit deny owner change_profile -> "/bin/**",
> +}
> +
> +/usr/bin/foo7 {
> + audit deny owner change_profile -> "/bin/[ab]",
> +}
> +
> +/usr/bin/foo8 {
> + audit deny owner change_profile -> "/bin/[^ab]",
> +}
> +
> +/usr/bin/foo10 {
> + audit deny owner change_profile -> "/bin/?ab",
> +}
> +
> +/usr/bin/foo11 {
> + audit deny owner change_profile -> "/bin/ *",
> +}
> +
> +/usr/bin/foo12 {
> + audit deny owner change_profile -> "/bin/ **",
> +}
> +
> +/usr/bin/foo13 {
> + audit deny owner change_profile -> "/bin/ [ab]",
> +}
> +
> +/usr/bin/foo14 {
> + audit deny owner change_profile -> "/bin/ [^ab]",
> +}
> +
> +/usr/bin/foo15 {
> + audit deny owner change_profile -> "/bin/ ?ab",
> +}
> +
Please split those files (one failure per test) and name them *_bad_*
(see above for details)
> diff --git a/parser/tst/simple_tests/change_profile/ao_bare_ok_1.sd
> b/parser/tst/simple_tests/change_profile/ao_bare_ok_1.sd new file
> mode 100644
> index 0000000..da8846e
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_bare_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_1.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_1.sd new file mode
> 100644
> index 0000000..546b71e
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> /bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_2.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_2.sd new file mode
> 100644
> index 0000000..b43e28a
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> /bin/foo//bar,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_3.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_3.sd new file mode
> 100644
> index 0000000..b175e82
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION audit owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> :foo:/bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_4.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_4.sd new file mode
> 100644
> index 0000000..450cd95
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_4.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION audit owner change_profile with a variable (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + audit owner change_profile -> @{LIBVIRT}-foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_5.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_5.sd new file mode
> 100644
> index 0000000..24008b1
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_5.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION audit owner change_profile with variable+regex (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + audit owner change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +}
Some more files that should be named *_bad_*
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_6.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_6.sd new file mode
> 100644
> index 0000000..dc5e61f
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit owner change_profile with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> "/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> "/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_7.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_7.sd new file mode
> 100644
> index 0000000..f3d4306
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_7.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit owner change_profile to a hat with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> "/bin/foo//bar",
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> "/bin/foo// bar",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_ok_8.sd
> b/parser/tst/simple_tests/change_profile/ao_ok_8.sd new file mode
> 100644
> index 0000000..238514c
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_ok_8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION audit owner change_profile with name space with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> ":foo:/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> ":foo:/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_1.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_1.sd new file mode
> 100644
> index 0000000..7a0fe86
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_1.sd
> @@ -0,0 +1,24 @@
> +#
> +#=DESCRIPTION audit owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> /bin/*,
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> /bin/**,
> +}
> +
> +/usr/bin/foo3 {
> + audit owner change_profile -> /bin/?,
> +}
> +
> +/usr/bin/foo4 {
> + audit owner change_profile -> /bin/[ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> /bin/[^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_2.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_2.sd new file mode
> 100644
> index 0000000..60d88a8
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_2.sd
> @@ -0,0 +1,69 @@
> +#
> +#=DESCRIPTION audit owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> /bin/foo//bar,
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> /bin/foo//ba*,
> +}
> +
> +/usr/bin/foo3 {
> + audit owner change_profile -> /bin/foo//ba**,
> +}
> +
> +/usr/bin/foo4 {
> + audit owner change_profile -> /bin/foo//ba?,
> +}
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> /bin/foo//ba[ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit owner change_profile -> /bin/foo//ba[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + audit owner change_profile -> /bin/fo*//bar,
> +}
> +
> +/usr/bin/foo8 {
> + audit owner change_profile -> /bin/fo**//bar,
> +}
> +
> +/usr/bin/foo9 {
> + audit owner change_profile -> /bin/fo?//bar,
> +}
> +
> +/usr/bin/foo10 {
> + audit owner change_profile -> /bin/fo[ab]//bar,
> +}
> +
> +/usr/bin/foo11 {
> + audit owner change_profile -> /bin/fo[^ab]//bar,
> +}
> +
> +/usr/bin/foo12 {
> + audit owner change_profile -> /bin/fo*//ba*,
> +}
> +
> +/usr/bin/foo13 {
> + audit owner change_profile -> /bin/fo**//ba**,
> +}
> +
> +/usr/bin/foo14 {
> + audit owner change_profile -> /bin/fo?//ba?,
> +}
> +
> +/usr/bin/foo15 {
> + audit owner change_profile -> /bin/fo[ab]//ba[ab],
> +}
> +
> +/usr/bin/foo16 {
> + audit owner change_profile -> /bin/fo[^ab]//ba[^ab],
> +}
> +
> +
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_3.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_3.sd new file mode
> 100644
> index 0000000..64bc3fb
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_3.sd
> @@ -0,0 +1,67 @@
> +#
> +#=DESCRIPTION audit owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + audit owner change_profile -> :foo:/bin/foo,
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> :foo:/bin/fo*,
> +}
> +
> +/usr/bin/foo3 {
> + audit owner change_profile -> :foo:/bin/fo**,
> +}
> +
> +/usr/bin/foo4 {
> + audit owner change_profile -> :foo:/bin/fo?,
> +}
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> :foo:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit owner change_profile -> :foo:/bin/fo[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + audit owner change_profile -> :fo*:/bin/foo,
> +}
> +
> +/usr/bin/foo8 {
> + audit owner change_profile -> :fo**:/bin/foo,
> +}
> +
> +/usr/bin/foo9 {
> + audit owner change_profile -> :fo?:/bin/foo,
> +}
> +
> +/usr/bin/foo10 {
> + audit owner change_profile -> :fo[ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo11 {
> + audit owner change_profile -> :fo[^ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo12 {
> + audit owner change_profile -> :fo*:/bin/fo*,
> +}
> +
> +/usr/bin/foo13 {
> + audit owner change_profile -> :fo**:/bin/fo**,
> +}
> +
> +/usr/bin/foo14 {
> + audit owner change_profile -> :fo?:/bin/fo?,
> +}
> +
> +/usr/bin/foo15 {
> + audit owner change_profile -> :fo[ab]:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo16 {
> + audit owner change_profile -> :fo[^ab]:/bin/fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_4.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_4.sd new file mode
> 100644
> index 0000000..dcc6ad0
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_4.sd
> @@ -0,0 +1,51 @@
> +#
> +#=DESCRIPTION audit owner change_profile with a variable (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +@{LIBVIRT_RE}="libvirt*"
> +
> +/usr/bin/foo {
> + audit owner change_profile -> @{LIBVIRT}-fo*,
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> @{LIBVIRT}-fo**,
> +}
> +
> +/usr/bin/foo3 {
> + audit owner change_profile -> @{LIBVIRT}-fo[ab],
> +}
> +
> +/usr/bin/foo4 {
> + audit owner change_profile -> @{LIBVIRT}-fo[^ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> @{LIBVIRT}-fo?,
> +}
> +
> +/usr/bin/foo6 {
> + audit owner change_profile -> @{LIBVIRT_RE}-foo,
> +}
> +
> +/usr/bin/foo7 {
> + audit owner change_profile -> @{LIBVIRT_RE}-fo*,
> +}
> +
> +/usr/bin/foo8 {
> + audit owner change_profile -> @{LIBVIRT_RE}-fo**,
> +}
> +
> +/usr/bin/foo9 {
> + audit owner change_profile -> @{LIBVIRT_RE}-fo?,
> +}
> +
> +/usr/bin/foo10 {
> + audit owner change_profile -> @{LIBVIRT_RE}-fo[ab],
> +}
> +
> +/usr/bin/foo11 {
> + audit owner change_profile -> @{LIBVIRT_RE}-fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_5.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_5.sd new file mode
> 100644
> index 0000000..c836657
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_5.sd
> @@ -0,0 +1,25 @@
> +#
> +#=DESCRIPTION audit owner change_profile with just res
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + audit owner change_profile -> *,
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> **,
> +}
> +
> +/usr/bin/foo3 {
> + audit owner change_profile -> ?,
> +}
> +
> +/usr/bin/foo4 {
> + audit owner change_profile -> [ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> [^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_6.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_6.sd new file mode
> 100644
> index 0000000..6607f1a
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_6.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION audit owner change_profile with just res, child profile
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + audit owner change_profile -> *//ab,
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> **//ab,
> +}
> +
> +/usr/bin/foo3 {
> + audit owner change_profile -> ?//ab,
> +}
> +
> +/usr/bin/foo4 {
> + audit owner change_profile -> [ab]//ab,
> +}
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> [^ab]//ab,
> +}
> +
> +/usr/bin/foo6 {
> + audit owner change_profile -> ab//*,
> +}
> +
> +/usr/bin/foo7 {
> + audit owner change_profile -> ab//**,
> +}
> +
> +/usr/bin/foo8 {
> + audit owner change_profile -> ab//?,
> +}
> +
> +/usr/bin/foo9 {
> + audit owner change_profile -> ab//[ab],
> +}
> +
> +/usr/bin/foo10 {
> + audit owner change_profile -> ab//[^ab],
> +}
> +
> +/usr/bin/foo11 {
> + audit owner change_profile -> *//*,
> +}
> +
> +/usr/bin/foo12 {
> + audit owner change_profile -> **//*,
> +}
> +
> +/usr/bin/foo13 {
> + audit owner change_profile -> ?//*,
> +}
> +
> +/usr/bin/foo14 {
> + audit owner change_profile -> [ab]//*,
> +}
> +
> +/usr/bin/foo15 {
> + audit owner change_profile -> [^ab]//*,
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_7.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_7.sd new file mode
> 100644
> index 0000000..a59eb3b
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_7.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION audit owner change_profile with just re, namespace
> +#=EXRESULT FAIL
> +#
> +
> +
> +/usr/bin/foo {
> + audit owner change_profile -> :ab:*,
> +}
> +
> +/usr/bin/foo2 {
> + audit owner change_profile -> :ab:**,
> +}
> +
> +/usr/bin/foo3 {
> + audit owner change_profile -> :ab:?,
> +}
> +
> +/usr/bin/foo4 {
> + audit owner change_profile -> :ab:[ab],
> +}
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> :ab:[^ab],
> +}
> +
> +/usr/bin/foo6 {
> + audit owner change_profile -> :*:ab,
> +}
> +
> +/usr/bin/foo7 {
> + audit owner change_profile -> :**:ab,
> +}
> +
> +/usr/bin/foo8 {
> + audit owner change_profile -> :?:ab,
> +}
> +
> +/usr/bin/foo9 {
> + audit owner change_profile -> :[ab]:ab,
> +}
> +
> +/usr/bin/foo10 {
> + audit owner change_profile -> :[^ab]:ab,
> +}
> +
> +/usr/bin/foo11 {
> + audit owner change_profile -> :*:*,
> +}
> +
> +/usr/bin/foo12 {
> + audit owner change_profile -> :**:**,
> +}
> +
> +/usr/bin/foo13 {
> + audit owner change_profile -> :?:?,
> +}
> +
> +/usr/bin/foo14 {
> + audit owner change_profile -> :[ab]:[ab],
> +}
> +
> +/usr/bin/foo15 {
> + audit owner change_profile -> :[^ab]:[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/ao_re_ok_8.sd
> b/parser/tst/simple_tests/change_profile/ao_re_ok_8.sd new file mode
> 100644
> index 0000000..8cb0171
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/ao_re_ok_8.sd
> @@ -0,0 +1,45 @@
> +#
> +#=DESCRIPTION audit owner change_profile re with quotes
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo5 {
> + audit owner change_profile -> "/bin/*",
> +}
> +
> +/usr/bin/foo6 {
> + audit owner change_profile -> "/bin/**",
> +}
> +
> +/usr/bin/foo7 {
> + audit owner change_profile -> "/bin/[ab]",
> +}
> +
> +/usr/bin/foo8 {
> + audit owner change_profile -> "/bin/[^ab]",
> +}
> +
> +/usr/bin/foo10 {
> + audit owner change_profile -> "/bin/?ab",
> +}
> +
> +/usr/bin/foo11 {
> + audit owner change_profile -> "/bin/ *",
> +}
> +
> +/usr/bin/foo12 {
> + audit owner change_profile -> "/bin/ **",
> +}
> +
> +/usr/bin/foo13 {
> + audit owner change_profile -> "/bin/ [ab]",
> +}
> +
> +/usr/bin/foo14 {
> + audit owner change_profile -> "/bin/ [^ab]",
> +}
> +
> +/usr/bin/foo15 {
> + audit owner change_profile -> "/bin/ ?ab",
> +}
> +
And some more files that need to be split into one failure per file and
named *_bad_*
> diff --git a/parser/tst/simple_tests/change_profile/da_bare_ok_1.sd
> b/parser/tst/simple_tests/change_profile/da_bare_ok_1.sd new file
> mode 100644
> index 0000000..8a746df
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_bare_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny audit change_profile
A comment "wrong order of audit and deny" would be helpful in this set
of files.
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_1.sd
> b/parser/tst/simple_tests/change_profile/da_ok_1.sd new file mode
> 100644
> index 0000000..a674722
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny audit change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> /bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_2.sd
> b/parser/tst/simple_tests/change_profile/da_ok_2.sd new file mode
> 100644
> index 0000000..6f6674c
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny audit change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> /bin/foo//bar,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_3.sd
> b/parser/tst/simple_tests/change_profile/da_ok_3.sd new file mode
> 100644
> index 0000000..5ea2428
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny audit change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> :foo:/bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_4.sd
> b/parser/tst/simple_tests/change_profile/da_ok_4.sd new file mode
> 100644
> index 0000000..f92b6af
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_4.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION deny audit change_profile with a variable (LP: #390810)
> +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + deny audit change_profile -> @{LIBVIRT}-foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_5.sd
> b/parser/tst/simple_tests/change_profile/da_ok_5.sd new file mode
> 100644
> index 0000000..0d690f1
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_5.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION deny audit change_profile with variable+regex (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + deny audit change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +}
Another set of files that should be named *_bad_*
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_6.sd
> b/parser/tst/simple_tests/change_profile/da_ok_6.sd new file mode
> 100644
> index 0000000..5c23af5
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION deny audit change_profile with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> "/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> "/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_7.sd
> b/parser/tst/simple_tests/change_profile/da_ok_7.sd new file mode
> 100644
> index 0000000..573577a
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_7.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION deny audit change_profile to a hat with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> "/bin/foo//bar",
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> "/bin/foo// bar",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_ok_8.sd
> b/parser/tst/simple_tests/change_profile/da_ok_8.sd new file mode
> 100644
> index 0000000..9858ef8
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_ok_8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION deny audit change_profile with name space with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> ":foo:/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> ":foo:/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_1.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_1.sd new file mode
> 100644
> index 0000000..a98ceb8
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_1.sd
> @@ -0,0 +1,24 @@
> +#
> +#=DESCRIPTION deny audit change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> /bin/*,
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> /bin/**,
> +}
> +
> +/usr/bin/foo3 {
> + deny audit change_profile -> /bin/?,
> +}
> +
> +/usr/bin/foo4 {
> + deny audit change_profile -> /bin/[ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> /bin/[^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_2.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_2.sd new file mode
> 100644
> index 0000000..40c4550
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_2.sd
> @@ -0,0 +1,69 @@
> +#
> +#=DESCRIPTION deny audit change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> /bin/foo//bar,
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> /bin/foo//ba*,
> +}
> +
> +/usr/bin/foo3 {
> + deny audit change_profile -> /bin/foo//ba**,
> +}
> +
> +/usr/bin/foo4 {
> + deny audit change_profile -> /bin/foo//ba?,
> +}
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> /bin/foo//ba[ab],
> +}
> +
> +/usr/bin/foo6 {
> + deny audit change_profile -> /bin/foo//ba[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + deny audit change_profile -> /bin/fo*//bar,
> +}
> +
> +/usr/bin/foo8 {
> + deny audit change_profile -> /bin/fo**//bar,
> +}
> +
> +/usr/bin/foo9 {
> + deny audit change_profile -> /bin/fo?//bar,
> +}
> +
> +/usr/bin/foo10 {
> + deny audit change_profile -> /bin/fo[ab]//bar,
> +}
> +
> +/usr/bin/foo11 {
> + deny audit change_profile -> /bin/fo[^ab]//bar,
> +}
> +
> +/usr/bin/foo12 {
> + deny audit change_profile -> /bin/fo*//ba*,
> +}
> +
> +/usr/bin/foo13 {
> + deny audit change_profile -> /bin/fo**//ba**,
> +}
> +
> +/usr/bin/foo14 {
> + deny audit change_profile -> /bin/fo?//ba?,
> +}
> +
> +/usr/bin/foo15 {
> + deny audit change_profile -> /bin/fo[ab]//ba[ab],
> +}
> +
> +/usr/bin/foo16 {
> + deny audit change_profile -> /bin/fo[^ab]//ba[^ab],
> +}
> +
> +
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_3.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_3.sd new file mode
> 100644
> index 0000000..a2f229a
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_3.sd
> @@ -0,0 +1,67 @@
> +#
> +#=DESCRIPTION deny audit change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny audit change_profile -> :foo:/bin/foo,
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> :foo:/bin/fo*,
> +}
> +
> +/usr/bin/foo3 {
> + deny audit change_profile -> :foo:/bin/fo**,
> +}
> +
> +/usr/bin/foo4 {
> + deny audit change_profile -> :foo:/bin/fo?,
> +}
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> :foo:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo6 {
> + deny audit change_profile -> :foo:/bin/fo[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + deny audit change_profile -> :fo*:/bin/foo,
> +}
> +
> +/usr/bin/foo8 {
> + deny audit change_profile -> :fo**:/bin/foo,
> +}
> +
> +/usr/bin/foo9 {
> + deny audit change_profile -> :fo?:/bin/foo,
> +}
> +
> +/usr/bin/foo10 {
> + deny audit change_profile -> :fo[ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo11 {
> + deny audit change_profile -> :fo[^ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo12 {
> + deny audit change_profile -> :fo*:/bin/fo*,
> +}
> +
> +/usr/bin/foo13 {
> + deny audit change_profile -> :fo**:/bin/fo**,
> +}
> +
> +/usr/bin/foo14 {
> + deny audit change_profile -> :fo?:/bin/fo?,
> +}
> +
> +/usr/bin/foo15 {
> + deny audit change_profile -> :fo[ab]:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo16 {
> + deny audit change_profile -> :fo[^ab]:/bin/fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_4.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_4.sd new file mode
> 100644
> index 0000000..d32fce8
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_4.sd
> @@ -0,0 +1,51 @@
> +#
> +#=DESCRIPTION deny audit change_profile with a variable (LP: #390810)
> +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +@{LIBVIRT_RE}="libvirt*"
> +
> +/usr/bin/foo {
> + deny audit change_profile -> @{LIBVIRT}-fo*,
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> @{LIBVIRT}-fo**,
> +}
> +
> +/usr/bin/foo3 {
> + deny audit change_profile -> @{LIBVIRT}-fo[ab],
> +}
> +
> +/usr/bin/foo4 {
> + deny audit change_profile -> @{LIBVIRT}-fo[^ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> @{LIBVIRT}-fo?,
> +}
> +
> +/usr/bin/foo6 {
> + deny audit change_profile -> @{LIBVIRT_RE}-foo,
> +}
> +
> +/usr/bin/foo7 {
> + deny audit change_profile -> @{LIBVIRT_RE}-fo*,
> +}
> +
> +/usr/bin/foo8 {
> + deny audit change_profile -> @{LIBVIRT_RE}-fo**,
> +}
> +
> +/usr/bin/foo9 {
> + deny audit change_profile -> @{LIBVIRT_RE}-fo?,
> +}
> +
> +/usr/bin/foo10 {
> + deny audit change_profile -> @{LIBVIRT_RE}-fo[ab],
> +}
> +
> +/usr/bin/foo11 {
> + deny audit change_profile -> @{LIBVIRT_RE}-fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_5.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_5.sd new file mode
> 100644
> index 0000000..cf421f6
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_5.sd
> @@ -0,0 +1,25 @@
> +#
> +#=DESCRIPTION deny audit change_profile with just res
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + deny audit change_profile -> *,
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> **,
> +}
> +
> +/usr/bin/foo3 {
> + deny audit change_profile -> ?,
> +}
> +
> +/usr/bin/foo4 {
> + deny audit change_profile -> [ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> [^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_6.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_6.sd new file mode
> 100644
> index 0000000..04096ec
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_6.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION deny audit change_profile with just res, child profile
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + deny audit change_profile -> *//ab,
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> **//ab,
> +}
> +
> +/usr/bin/foo3 {
> + deny audit change_profile -> ?//ab,
> +}
> +
> +/usr/bin/foo4 {
> + deny audit change_profile -> [ab]//ab,
> +}
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> [^ab]//ab,
> +}
> +
> +/usr/bin/foo6 {
> + deny audit change_profile -> ab//*,
> +}
> +
> +/usr/bin/foo7 {
> + deny audit change_profile -> ab//**,
> +}
> +
> +/usr/bin/foo8 {
> + deny audit change_profile -> ab//?,
> +}
> +
> +/usr/bin/foo9 {
> + deny audit change_profile -> ab//[ab],
> +}
> +
> +/usr/bin/foo10 {
> + deny audit change_profile -> ab//[^ab],
> +}
> +
> +/usr/bin/foo11 {
> + deny audit change_profile -> *//*,
> +}
> +
> +/usr/bin/foo12 {
> + deny audit change_profile -> **//*,
> +}
> +
> +/usr/bin/foo13 {
> + deny audit change_profile -> ?//*,
> +}
> +
> +/usr/bin/foo14 {
> + deny audit change_profile -> [ab]//*,
> +}
> +
> +/usr/bin/foo15 {
> + deny audit change_profile -> [^ab]//*,
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_7.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_7.sd new file mode
> 100644
> index 0000000..b676934
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_7.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION deny audit change_profile with just re, namespace
> +#=EXRESULT FAIL
> +#
> +
> +
> +/usr/bin/foo {
> + deny audit change_profile -> :ab:*,
> +}
> +
> +/usr/bin/foo2 {
> + deny audit change_profile -> :ab:**,
> +}
> +
> +/usr/bin/foo3 {
> + deny audit change_profile -> :ab:?,
> +}
> +
> +/usr/bin/foo4 {
> + deny audit change_profile -> :ab:[ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> :ab:[^ab],
> +}
> +
> +/usr/bin/foo6 {
> + deny audit change_profile -> :*:ab,
> +}
> +
> +/usr/bin/foo7 {
> + deny audit change_profile -> :**:ab,
> +}
> +
> +/usr/bin/foo8 {
> + deny audit change_profile -> :?:ab,
> +}
> +
> +/usr/bin/foo9 {
> + deny audit change_profile -> :[ab]:ab,
> +}
> +
> +/usr/bin/foo10 {
> + deny audit change_profile -> :[^ab]:ab,
> +}
> +
> +/usr/bin/foo11 {
> + deny audit change_profile -> :*:*,
> +}
> +
> +/usr/bin/foo12 {
> + deny audit change_profile -> :**:**,
> +}
> +
> +/usr/bin/foo13 {
> + deny audit change_profile -> :?:?,
> +}
> +
> +/usr/bin/foo14 {
> + deny audit change_profile -> :[ab]:[ab],
> +}
> +
> +/usr/bin/foo15 {
> + deny audit change_profile -> :[^ab]:[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/da_re_ok_8.sd
> b/parser/tst/simple_tests/change_profile/da_re_ok_8.sd new file mode
> 100644
> index 0000000..d6e5ce2
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/da_re_ok_8.sd
> @@ -0,0 +1,45 @@
> +#
> +#=DESCRIPTION deny audit change_profile re with quotes
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo5 {
> + deny audit change_profile -> "/bin/*",
> +}
> +
> +/usr/bin/foo6 {
> + deny audit change_profile -> "/bin/**",
> +}
> +
> +/usr/bin/foo7 {
> + deny audit change_profile -> "/bin/[ab]",
> +}
> +
> +/usr/bin/foo8 {
> + deny audit change_profile -> "/bin/[^ab]",
> +}
> +
> +/usr/bin/foo10 {
> + deny audit change_profile -> "/bin/?ab",
> +}
> +
> +/usr/bin/foo11 {
> + deny audit change_profile -> "/bin/ *",
> +}
> +
> +/usr/bin/foo12 {
> + deny audit change_profile -> "/bin/ **",
> +}
> +
> +/usr/bin/foo13 {
> + deny audit change_profile -> "/bin/ [ab]",
> +}
> +
> +/usr/bin/foo14 {
> + deny audit change_profile -> "/bin/ [^ab]",
> +}
> +
> +/usr/bin/foo15 {
> + deny audit change_profile -> "/bin/ ?ab",
> +}
> +
Split and rename, please ;-)
> diff --git a/parser/tst/simple_tests/change_profile/do_bare_ok_1.sd
> b/parser/tst/simple_tests/change_profile/do_bare_ok_1.sd new file
> mode 100644
> index 0000000..1bbb68b
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_bare_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_1.sd
> b/parser/tst/simple_tests/change_profile/do_ok_1.sd new file mode
> 100644
> index 0000000..936b9de
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> /bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_2.sd
> b/parser/tst/simple_tests/change_profile/do_ok_2.sd new file mode
> 100644
> index 0000000..5911c3e
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> /bin/foo//bar,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_3.sd
> b/parser/tst/simple_tests/change_profile/do_ok_3.sd new file mode
> 100644
> index 0000000..035c985
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION deny owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> :foo:/bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_4.sd
> b/parser/tst/simple_tests/change_profile/do_ok_4.sd new file mode
> 100644
> index 0000000..7d38642
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_4.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION deny owner change_profile with a variable (LP: #390810)
> +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + deny owner change_profile -> @{LIBVIRT}-foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_5.sd
> b/parser/tst/simple_tests/change_profile/do_ok_5.sd new file mode
> 100644
> index 0000000..ebe9aca
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_5.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION deny owner change_profile with variable+regex (LP:
> #390810) +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + deny owner change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +}
Please rename those files to *_bad_*.
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_6.sd
> b/parser/tst/simple_tests/change_profile/do_ok_6.sd new file mode
> 100644
> index 0000000..43b8884
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION deny owner change_profile with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> "/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> "/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_7.sd
> b/parser/tst/simple_tests/change_profile/do_ok_7.sd new file mode
> 100644
> index 0000000..961e2dc
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_7.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION deny owner change_profile to a hat with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> "/bin/foo//bar",
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> "/bin/foo// bar",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_ok_8.sd
> b/parser/tst/simple_tests/change_profile/do_ok_8.sd new file mode
> 100644
> index 0000000..6bb3bfb
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_ok_8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION deny owner change_profile with name space with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> ":foo:/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> ":foo:/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_1.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_1.sd new file mode
> 100644
> index 0000000..2e34dfd
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_1.sd
> @@ -0,0 +1,24 @@
> +#
> +#=DESCRIPTION deny owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> /bin/*,
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> /bin/**,
> +}
> +
> +/usr/bin/foo3 {
> + deny owner change_profile -> /bin/?,
> +}
> +
> +/usr/bin/foo4 {
> + deny owner change_profile -> /bin/[ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> /bin/[^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_2.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_2.sd new file mode
> 100644
> index 0000000..d036778
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_2.sd
> @@ -0,0 +1,69 @@
> +#
> +#=DESCRIPTION deny owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> /bin/foo//bar,
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> /bin/foo//ba*,
> +}
> +
> +/usr/bin/foo3 {
> + deny owner change_profile -> /bin/foo//ba**,
> +}
> +
> +/usr/bin/foo4 {
> + deny owner change_profile -> /bin/foo//ba?,
> +}
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> /bin/foo//ba[ab],
> +}
> +
> +/usr/bin/foo6 {
> + deny owner change_profile -> /bin/foo//ba[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + deny owner change_profile -> /bin/fo*//bar,
> +}
> +
> +/usr/bin/foo8 {
> + deny owner change_profile -> /bin/fo**//bar,
> +}
> +
> +/usr/bin/foo9 {
> + deny owner change_profile -> /bin/fo?//bar,
> +}
> +
> +/usr/bin/foo10 {
> + deny owner change_profile -> /bin/fo[ab]//bar,
> +}
> +
> +/usr/bin/foo11 {
> + deny owner change_profile -> /bin/fo[^ab]//bar,
> +}
> +
> +/usr/bin/foo12 {
> + deny owner change_profile -> /bin/fo*//ba*,
> +}
> +
> +/usr/bin/foo13 {
> + deny owner change_profile -> /bin/fo**//ba**,
> +}
> +
> +/usr/bin/foo14 {
> + deny owner change_profile -> /bin/fo?//ba?,
> +}
> +
> +/usr/bin/foo15 {
> + deny owner change_profile -> /bin/fo[ab]//ba[ab],
> +}
> +
> +/usr/bin/foo16 {
> + deny owner change_profile -> /bin/fo[^ab]//ba[^ab],
> +}
> +
> +
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_3.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_3.sd new file mode
> 100644
> index 0000000..0b18b96
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_3.sd
> @@ -0,0 +1,67 @@
> +#
> +#=DESCRIPTION deny owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + deny owner change_profile -> :foo:/bin/foo,
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> :foo:/bin/fo*,
> +}
> +
> +/usr/bin/foo3 {
> + deny owner change_profile -> :foo:/bin/fo**,
> +}
> +
> +/usr/bin/foo4 {
> + deny owner change_profile -> :foo:/bin/fo?,
> +}
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> :foo:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo6 {
> + deny owner change_profile -> :foo:/bin/fo[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + deny owner change_profile -> :fo*:/bin/foo,
> +}
> +
> +/usr/bin/foo8 {
> + deny owner change_profile -> :fo**:/bin/foo,
> +}
> +
> +/usr/bin/foo9 {
> + deny owner change_profile -> :fo?:/bin/foo,
> +}
> +
> +/usr/bin/foo10 {
> + deny owner change_profile -> :fo[ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo11 {
> + deny owner change_profile -> :fo[^ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo12 {
> + deny owner change_profile -> :fo*:/bin/fo*,
> +}
> +
> +/usr/bin/foo13 {
> + deny owner change_profile -> :fo**:/bin/fo**,
> +}
> +
> +/usr/bin/foo14 {
> + deny owner change_profile -> :fo?:/bin/fo?,
> +}
> +
> +/usr/bin/foo15 {
> + deny owner change_profile -> :fo[ab]:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo16 {
> + deny owner change_profile -> :fo[^ab]:/bin/fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_4.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_4.sd new file mode
> 100644
> index 0000000..72df117
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_4.sd
> @@ -0,0 +1,51 @@
> +#
> +#=DESCRIPTION deny owner change_profile with a variable (LP: #390810)
> +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +@{LIBVIRT_RE}="libvirt*"
> +
> +/usr/bin/foo {
> + deny owner change_profile -> @{LIBVIRT}-fo*,
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> @{LIBVIRT}-fo**,
> +}
> +
> +/usr/bin/foo3 {
> + deny owner change_profile -> @{LIBVIRT}-fo[ab],
> +}
> +
> +/usr/bin/foo4 {
> + deny owner change_profile -> @{LIBVIRT}-fo[^ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> @{LIBVIRT}-fo?,
> +}
> +
> +/usr/bin/foo6 {
> + deny owner change_profile -> @{LIBVIRT_RE}-foo,
> +}
> +
> +/usr/bin/foo7 {
> + deny owner change_profile -> @{LIBVIRT_RE}-fo*,
> +}
> +
> +/usr/bin/foo8 {
> + deny owner change_profile -> @{LIBVIRT_RE}-fo**,
> +}
> +
> +/usr/bin/foo9 {
> + deny owner change_profile -> @{LIBVIRT_RE}-fo?,
> +}
> +
> +/usr/bin/foo10 {
> + deny owner change_profile -> @{LIBVIRT_RE}-fo[ab],
> +}
> +
> +/usr/bin/foo11 {
> + deny owner change_profile -> @{LIBVIRT_RE}-fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_5.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_5.sd new file mode
> 100644
> index 0000000..cb464bd
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_5.sd
> @@ -0,0 +1,25 @@
> +#
> +#=DESCRIPTION deny owner change_profile with just res
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + deny owner change_profile -> *,
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> **,
> +}
> +
> +/usr/bin/foo3 {
> + deny owner change_profile -> ?,
> +}
> +
> +/usr/bin/foo4 {
> + deny owner change_profile -> [ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> [^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_6.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_6.sd new file mode
> 100644
> index 0000000..9a1504e
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_6.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION deny owner change_profile with just res, child profile
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + deny owner change_profile -> *//ab,
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> **//ab,
> +}
> +
> +/usr/bin/foo3 {
> + deny owner change_profile -> ?//ab,
> +}
> +
> +/usr/bin/foo4 {
> + deny owner change_profile -> [ab]//ab,
> +}
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> [^ab]//ab,
> +}
> +
> +/usr/bin/foo6 {
> + deny owner change_profile -> ab//*,
> +}
> +
> +/usr/bin/foo7 {
> + deny owner change_profile -> ab//**,
> +}
> +
> +/usr/bin/foo8 {
> + deny owner change_profile -> ab//?,
> +}
> +
> +/usr/bin/foo9 {
> + deny owner change_profile -> ab//[ab],
> +}
> +
> +/usr/bin/foo10 {
> + deny owner change_profile -> ab//[^ab],
> +}
> +
> +/usr/bin/foo11 {
> + deny owner change_profile -> *//*,
> +}
> +
> +/usr/bin/foo12 {
> + deny owner change_profile -> **//*,
> +}
> +
> +/usr/bin/foo13 {
> + deny owner change_profile -> ?//*,
> +}
> +
> +/usr/bin/foo14 {
> + deny owner change_profile -> [ab]//*,
> +}
> +
> +/usr/bin/foo15 {
> + deny owner change_profile -> [^ab]//*,
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_7.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_7.sd new file mode
> 100644
> index 0000000..3fea263
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_7.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION deny owner change_profile with just re, namespace
> +#=EXRESULT FAIL
> +#
> +
> +
> +/usr/bin/foo {
> + deny owner change_profile -> :ab:*,
> +}
> +
> +/usr/bin/foo2 {
> + deny owner change_profile -> :ab:**,
> +}
> +
> +/usr/bin/foo3 {
> + deny owner change_profile -> :ab:?,
> +}
> +
> +/usr/bin/foo4 {
> + deny owner change_profile -> :ab:[ab],
> +}
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> :ab:[^ab],
> +}
> +
> +/usr/bin/foo6 {
> + deny owner change_profile -> :*:ab,
> +}
> +
> +/usr/bin/foo7 {
> + deny owner change_profile -> :**:ab,
> +}
> +
> +/usr/bin/foo8 {
> + deny owner change_profile -> :?:ab,
> +}
> +
> +/usr/bin/foo9 {
> + deny owner change_profile -> :[ab]:ab,
> +}
> +
> +/usr/bin/foo10 {
> + deny owner change_profile -> :[^ab]:ab,
> +}
> +
> +/usr/bin/foo11 {
> + deny owner change_profile -> :*:*,
> +}
> +
> +/usr/bin/foo12 {
> + deny owner change_profile -> :**:**,
> +}
> +
> +/usr/bin/foo13 {
> + deny owner change_profile -> :?:?,
> +}
> +
> +/usr/bin/foo14 {
> + deny owner change_profile -> :[ab]:[ab],
> +}
> +
> +/usr/bin/foo15 {
> + deny owner change_profile -> :[^ab]:[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/do_re_ok_8.sd
> b/parser/tst/simple_tests/change_profile/do_re_ok_8.sd new file mode
> 100644
> index 0000000..d5653cc
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/do_re_ok_8.sd
> @@ -0,0 +1,45 @@
> +#
> +#=DESCRIPTION deny owner change_profile re with quotes
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo5 {
> + deny owner change_profile -> "/bin/*",
> +}
> +
> +/usr/bin/foo6 {
> + deny owner change_profile -> "/bin/**",
> +}
> +
> +/usr/bin/foo7 {
> + deny owner change_profile -> "/bin/[ab]",
> +}
> +
> +/usr/bin/foo8 {
> + deny owner change_profile -> "/bin/[^ab]",
> +}
> +
> +/usr/bin/foo10 {
> + deny owner change_profile -> "/bin/?ab",
> +}
> +
> +/usr/bin/foo11 {
> + deny owner change_profile -> "/bin/ *",
> +}
> +
> +/usr/bin/foo12 {
> + deny owner change_profile -> "/bin/ **",
> +}
> +
> +/usr/bin/foo13 {
> + deny owner change_profile -> "/bin/ [ab]",
> +}
> +
> +/usr/bin/foo14 {
> + deny owner change_profile -> "/bin/ [^ab]",
> +}
> +
> +/usr/bin/foo15 {
> + deny owner change_profile -> "/bin/ ?ab",
> +}
> +
Split and rename, please.
> diff --git a/parser/tst/simple_tests/change_profile/o_bare_ok_1.sd
> b/parser/tst/simple_tests/change_profile/o_bare_ok_1.sd new file mode
> 100644
> index 0000000..abb7fd1
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_bare_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_1.sd
> b/parser/tst/simple_tests/change_profile/o_ok_1.sd new file mode
> 100644
> index 0000000..139ca06
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> /bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_2.sd
> b/parser/tst/simple_tests/change_profile/o_ok_2.sd new file mode
> 100644
> index 0000000..988f129
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> /bin/foo//bar,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_3.sd
> b/parser/tst/simple_tests/change_profile/o_ok_3.sd new file mode
> 100644
> index 0000000..3ab1077
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> :foo:/bin/foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_4.sd
> b/parser/tst/simple_tests/change_profile/o_ok_4.sd new file mode
> 100644
> index 0000000..58f3900
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_4.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION owner change_profile with a variable (LP: #390810)
> +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + owner change_profile -> @{LIBVIRT}-foo,
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_5.sd
> b/parser/tst/simple_tests/change_profile/o_ok_5.sd new file mode
> 100644
> index 0000000..28f979d
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_5.sd
> @@ -0,0 +1,10 @@
> +#
> +#=DESCRIPTION owner change_profile with variable+regex (LP: #390810)
> +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +
> +/usr/bin/foo {
> + owner change_profile ->
> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +}
Please rename to *_bad_*
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_6.sd
> b/parser/tst/simple_tests/change_profile/o_ok_6.sd new file mode
> 100644
> index 0000000..d10c379
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION owner change_profile with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> "/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> "/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_7.sd
> b/parser/tst/simple_tests/change_profile/o_ok_7.sd new file mode
> 100644
> index 0000000..18dc44a
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_7.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION owner change_profile to a hat with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> "/bin/foo//bar",
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> "/bin/foo// bar",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_ok_8.sd
> b/parser/tst/simple_tests/change_profile/o_ok_8.sd new file mode
> 100644
> index 0000000..0046fb5
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_ok_8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION owner change_profile with name space with quotes
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> ":foo:/bin/foo",
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> ":foo:/bin/ foo",
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_1.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_1.sd new file mode
> 100644
> index 0000000..cea35d2
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_1.sd
> @@ -0,0 +1,24 @@
> +#
> +#=DESCRIPTION owner change_profile
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> /bin/*,
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> /bin/**,
> +}
> +
> +/usr/bin/foo3 {
> + owner change_profile -> /bin/?,
> +}
> +
> +/usr/bin/foo4 {
> + owner change_profile -> /bin/[ab],
> +}
> +
> +/usr/bin/foo5 {
> + owner change_profile -> /bin/[^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_2.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_2.sd new file mode
> 100644
> index 0000000..bcfec4e
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_2.sd
> @@ -0,0 +1,69 @@
> +#
> +#=DESCRIPTION owner change_profile to a hat
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> /bin/foo//bar,
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> /bin/foo//ba*,
> +}
> +
> +/usr/bin/foo3 {
> + owner change_profile -> /bin/foo//ba**,
> +}
> +
> +/usr/bin/foo4 {
> + owner change_profile -> /bin/foo//ba?,
> +}
> +
> +/usr/bin/foo5 {
> + owner change_profile -> /bin/foo//ba[ab],
> +}
> +
> +/usr/bin/foo6 {
> + owner change_profile -> /bin/foo//ba[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + owner change_profile -> /bin/fo*//bar,
> +}
> +
> +/usr/bin/foo8 {
> + owner change_profile -> /bin/fo**//bar,
> +}
> +
> +/usr/bin/foo9 {
> + owner change_profile -> /bin/fo?//bar,
> +}
> +
> +/usr/bin/foo10 {
> + owner change_profile -> /bin/fo[ab]//bar,
> +}
> +
> +/usr/bin/foo11 {
> + owner change_profile -> /bin/fo[^ab]//bar,
> +}
> +
> +/usr/bin/foo12 {
> + owner change_profile -> /bin/fo*//ba*,
> +}
> +
> +/usr/bin/foo13 {
> + owner change_profile -> /bin/fo**//ba**,
> +}
> +
> +/usr/bin/foo14 {
> + owner change_profile -> /bin/fo?//ba?,
> +}
> +
> +/usr/bin/foo15 {
> + owner change_profile -> /bin/fo[ab]//ba[ab],
> +}
> +
> +/usr/bin/foo16 {
> + owner change_profile -> /bin/fo[^ab]//ba[^ab],
> +}
> +
> +
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_3.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_3.sd new file mode
> 100644
> index 0000000..3f3d314
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_3.sd
> @@ -0,0 +1,67 @@
> +#
> +#=DESCRIPTION owner change_profile with name space
> +#=EXRESULT FAIL
> +#
> +/usr/bin/foo {
> + owner change_profile -> :foo:/bin/foo,
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> :foo:/bin/fo*,
> +}
> +
> +/usr/bin/foo3 {
> + owner change_profile -> :foo:/bin/fo**,
> +}
> +
> +/usr/bin/foo4 {
> + owner change_profile -> :foo:/bin/fo?,
> +}
> +
> +/usr/bin/foo5 {
> + owner change_profile -> :foo:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo6 {
> + owner change_profile -> :foo:/bin/fo[^ab],
> +}
> +
> +/usr/bin/foo7 {
> + owner change_profile -> :fo*:/bin/foo,
> +}
> +
> +/usr/bin/foo8 {
> + owner change_profile -> :fo**:/bin/foo,
> +}
> +
> +/usr/bin/foo9 {
> + owner change_profile -> :fo?:/bin/foo,
> +}
> +
> +/usr/bin/foo10 {
> + owner change_profile -> :fo[ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo11 {
> + owner change_profile -> :fo[^ab]:/bin/foo,
> +}
> +
> +/usr/bin/foo12 {
> + owner change_profile -> :fo*:/bin/fo*,
> +}
> +
> +/usr/bin/foo13 {
> + owner change_profile -> :fo**:/bin/fo**,
> +}
> +
> +/usr/bin/foo14 {
> + owner change_profile -> :fo?:/bin/fo?,
> +}
> +
> +/usr/bin/foo15 {
> + owner change_profile -> :fo[ab]:/bin/fo[ab],
> +}
> +
> +/usr/bin/foo16 {
> + owner change_profile -> :fo[^ab]:/bin/fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_4.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_4.sd new file mode
> 100644
> index 0000000..9686081
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_4.sd
> @@ -0,0 +1,51 @@
> +#
> +#=DESCRIPTION owner change_profile with a variable (LP: #390810)
> +#=EXRESULT FAIL
> +#
> +
> +@{LIBVIRT}="libvirt"
> +@{LIBVIRT_RE}="libvirt*"
> +
> +/usr/bin/foo {
> + owner change_profile -> @{LIBVIRT}-fo*,
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> @{LIBVIRT}-fo**,
> +}
> +
> +/usr/bin/foo3 {
> + owner change_profile -> @{LIBVIRT}-fo[ab],
> +}
> +
> +/usr/bin/foo4 {
> + owner change_profile -> @{LIBVIRT}-fo[^ab],
> +}
> +
> +/usr/bin/foo5 {
> + owner change_profile -> @{LIBVIRT}-fo?,
> +}
> +
> +/usr/bin/foo6 {
> + owner change_profile -> @{LIBVIRT_RE}-foo,
> +}
> +
> +/usr/bin/foo7 {
> + owner change_profile -> @{LIBVIRT_RE}-fo*,
> +}
> +
> +/usr/bin/foo8 {
> + owner change_profile -> @{LIBVIRT_RE}-fo**,
> +}
> +
> +/usr/bin/foo9 {
> + owner change_profile -> @{LIBVIRT_RE}-fo?,
> +}
> +
> +/usr/bin/foo10 {
> + owner change_profile -> @{LIBVIRT_RE}-fo[ab],
> +}
> +
> +/usr/bin/foo11 {
> + owner change_profile -> @{LIBVIRT_RE}-fo[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_5.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_5.sd new file mode
> 100644
> index 0000000..3d13d8b
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_5.sd
> @@ -0,0 +1,25 @@
> +#
> +#=DESCRIPTION owner change_profile with just res
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + owner change_profile -> *,
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> **,
> +}
> +
> +/usr/bin/foo3 {
> + owner change_profile -> ?,
> +}
> +
> +/usr/bin/foo4 {
> + owner change_profile -> [ab],
> +}
> +
> +/usr/bin/foo5 {
> + owner change_profile -> [^ab],
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_6.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_6.sd new file mode
> 100644
> index 0000000..1d4206c
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_6.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION owner change_profile with just res, child profile
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo {
> + owner change_profile -> *//ab,
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> **//ab,
> +}
> +
> +/usr/bin/foo3 {
> + owner change_profile -> ?//ab,
> +}
> +
> +/usr/bin/foo4 {
> + owner change_profile -> [ab]//ab,
> +}
> +
> +/usr/bin/foo5 {
> + owner change_profile -> [^ab]//ab,
> +}
> +
> +/usr/bin/foo6 {
> + owner change_profile -> ab//*,
> +}
> +
> +/usr/bin/foo7 {
> + owner change_profile -> ab//**,
> +}
> +
> +/usr/bin/foo8 {
> + owner change_profile -> ab//?,
> +}
> +
> +/usr/bin/foo9 {
> + owner change_profile -> ab//[ab],
> +}
> +
> +/usr/bin/foo10 {
> + owner change_profile -> ab//[^ab],
> +}
> +
> +/usr/bin/foo11 {
> + owner change_profile -> *//*,
> +}
> +
> +/usr/bin/foo12 {
> + owner change_profile -> **//*,
> +}
> +
> +/usr/bin/foo13 {
> + owner change_profile -> ?//*,
> +}
> +
> +/usr/bin/foo14 {
> + owner change_profile -> [ab]//*,
> +}
> +
> +/usr/bin/foo15 {
> + owner change_profile -> [^ab]//*,
> +}
> +
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_7.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_7.sd new file mode
> 100644
> index 0000000..b427185
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_7.sd
> @@ -0,0 +1,65 @@
> +#
> +#=DESCRIPTION owner change_profile with just re, namespace
> +#=EXRESULT FAIL
> +#
> +
> +
> +/usr/bin/foo {
> + owner change_profile -> :ab:*,
> +}
> +
> +/usr/bin/foo2 {
> + owner change_profile -> :ab:**,
> +}
> +
> +/usr/bin/foo3 {
> + owner change_profile -> :ab:?,
> +}
> +
> +/usr/bin/foo4 {
> + owner change_profile -> :ab:[ab],
> +}
> +
> +/usr/bin/foo5 {
> + owner change_profile -> :ab:[^ab],
> +}
> +
> +/usr/bin/foo6 {
> + owner change_profile -> :*:ab,
> +}
> +
> +/usr/bin/foo7 {
> + owner change_profile -> :**:ab,
> +}
> +
> +/usr/bin/foo8 {
> + owner change_profile -> :?:ab,
> +}
> +
> +/usr/bin/foo9 {
> + owner change_profile -> :[ab]:ab,
> +}
> +
> +/usr/bin/foo10 {
> + owner change_profile -> :[^ab]:ab,
> +}
> +
> +/usr/bin/foo11 {
> + owner change_profile -> :*:*,
> +}
> +
> +/usr/bin/foo12 {
> + owner change_profile -> :**:**,
> +}
> +
> +/usr/bin/foo13 {
> + owner change_profile -> :?:?,
> +}
> +
> +/usr/bin/foo14 {
> + owner change_profile -> :[ab]:[ab],
> +}
> +
> +/usr/bin/foo15 {
> + owner change_profile -> :[^ab]:[^ab],
> +}
> diff --git a/parser/tst/simple_tests/change_profile/o_re_ok_8.sd
> b/parser/tst/simple_tests/change_profile/o_re_ok_8.sd new file mode
> 100644
> index 0000000..9a98fce
> --- /dev/null
> +++ b/parser/tst/simple_tests/change_profile/o_re_ok_8.sd
> @@ -0,0 +1,45 @@
> +#
> +#=DESCRIPTION owner change_profile re with quotes
> +#=EXRESULT FAIL
> +#
> +
> +/usr/bin/foo5 {
> + owner change_profile -> "/bin/*",
> +}
> +
> +/usr/bin/foo6 {
> + owner change_profile -> "/bin/**",
> +}
> +
> +/usr/bin/foo7 {
> + owner change_profile -> "/bin/[ab]",
> +}
> +
> +/usr/bin/foo8 {
> + owner change_profile -> "/bin/[^ab]",
> +}
> +
> +/usr/bin/foo10 {
> + owner change_profile -> "/bin/?ab",
> +}
> +
> +/usr/bin/foo11 {
> + owner change_profile -> "/bin/ *",
> +}
> +
> +/usr/bin/foo12 {
> + owner change_profile -> "/bin/ **",
> +}
> +
> +/usr/bin/foo13 {
> + owner change_profile -> "/bin/ [ab]",
> +}
> +
> +/usr/bin/foo14 {
> + owner change_profile -> "/bin/ [^ab]",
> +}
> +
> +/usr/bin/foo15 {
> + owner change_profile -> "/bin/ ?ab",
> +}
> +
Please also split and rename those files.
Regards,
Christian Boltz
--
Was der Bauer nicht kennt, das frißt er nicht. Würde der Städter kennen,
was er frißt, er würde umgehend Bauer werden. [Oliver Hassencamp]
More information about the AppArmor
mailing list