The following is a patch against the parser's policy equality and inequality test script that demonstrates that 'deny change_profile' policy is not being generated correctly:
Index: b/parser/tst/equality.sh =================================================================== --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -285,7 +285,8 @@ for rule in "capability" "capability mac "file /f r" "file /f w" "file /f rwmlk" \ "link /a -> /b" "link subset /a -> /b" \ "l /a -> /b" "l subset /a -> /b" \ - "file l /a -> /b" "l subset /a -> /b" + "file l /a -> /b" "l subset /a -> /b" \ + "change_profile -> unconfined" "change_profile -> /**" do verify_binary_equality "allow modifier for \"${rule}\"" \ "/t { ${rule}, }" \
The following is a patch against the parser's policy equality and inequality test script that demonstrates that 'deny change_profile' policy is not being generated correctly:
Index: b/parser/ tst/equality. sh ======= ======= ======= ======= ======= ======= ======= ======= ==== tst/equality. sh tst/equality. sh binary_ equality "allow modifier for \"${rule}\"" \
=======
--- a/parser/
+++ b/parser/
@@ -285,7 +285,8 @@ for rule in "capability" "capability mac
"file /f r" "file /f w" "file /f rwmlk" \
"link /a -> /b" "link subset /a -> /b" \
"l /a -> /b" "l subset /a -> /b" \
- "file l /a -> /b" "l subset /a -> /b"
+ "file l /a -> /b" "l subset /a -> /b" \
+ "change_profile -> unconfined" "change_profile -> /**"
do
verify_
"/t { ${rule}, }" \