Make meaning of leading permissions consistent with trailing permissions

x Permissions when specified as a the start of the rule had a differnt
meaning than when they appeared at the tail of a rule.

Specifically px,cx,ux were not treated as unsafe when they appeared at
the start of the rule.
  px /foo,
instead of at the tail of the rule
  /foo px,

the keyword unsafe had to be used to force the rule to cause the x transitio
to be its unsafe variant.

Fix leading permissions so that they are consistent with file rules that
use trailing permissions.

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/parser_yacc.y

@@ -879,11 +879,12 @@ opt_unsafe: { /* nothing */ $$ = 0; }
 
 rule:   opt_unsafe file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 	{
-		int mode = $2 & ~ALL_AA_EXEC_UNSAFE;
+		int mode = $2;
 		if ($1) {
 			if (!($2 & AA_EXEC_BITS))
 				yyerror(_("unsafe rule missing exec permissions"));
-			mode |= (($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE;
+			mode = ($2 & ~ALL_AA_EXEC_UNSAFE) |
+				((($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE);
 		}
 
 		if ($3 && ($2 & ~AA_LINK_BITS))

parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd

@@ -1,16 +0,0 @@
-#
-#=DESCRIPTION test pix - in forward perms P and p are the same and the
-# unsafe keyword is required.  So these should conflict
-#=EXRESULT FAIL
-#
-/usr/bin/foo {
-  /bin/cat pix,
-  /bin/foo Pix,
-  /bin/bar pIx,
-  /bin/a   PIx,
-
-  pix /bin/cat,
-  Pix /bin/foo,
-  pIx /bin/bar,
-  PIx /bin/a,
-}

parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd

@@ -9,7 +9,7 @@
   /bin/a   PIx,
 
   unsafe pix /bin/cat,
-  pix /bin/foo,
+  Pix /bin/foo,
   unsafe pix /bin/bar,
-  pix /bin/a,
+  Pix /bin/a,
 }