libapparmor testsuite: add missing empty test_multi/testcase_syslog_read.err

Fixes make check warning: ERROR: Missing file ./test_multi/testcase_syslog_read.err Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
smbd profile needs capability sys_admin
2025-09-04 16:25:10 +00:00 · 2016-04-15 10:49:05 -07:00 · 2016-04-13 23:22:07 +02:00 · 2016-04-12 16:39:40 -05:00 · 2016-04-07 00:53:53 +02:00 · 2016-03-28 21:43:49 +02:00
236 changed files with 7047 additions and 3456 deletions
--- a/.bzrignore
+++ b/.bzrignore
@@ -45,16 +45,25 @@ libraries/libapparmor/ylwrap
 libraries/libapparmor/doc/Makefile
 libraries/libapparmor/doc/Makefile.in
 libraries/libapparmor/doc/*.2
 libraries/libapparmor/doc/aa_*.3
 libraries/libapparmor/include/Makefile
 libraries/libapparmor/include/sys/Makefile
 libraries/libapparmor/src/.deps
 libraries/libapparmor/src/.libs
 libraries/libapparmor/src/Makefile
 libraries/libapparmor/src/Makefile.in
 libraries/libapparmor/src/af_protos.h
 libraries/libapparmor/src/change_hat.lo
 libraries/libapparmor/src/features.lo
 libraries/libapparmor/src/grammar.lo
 libraries/libapparmor/src/kernel.lo
 libraries/libapparmor/src/kernel_interface.lo
 libraries/libapparmor/src/libaalogparse.lo
 libraries/libapparmor/src/libimmunix_warning.lo
 libraries/libapparmor/src/policy_cache.lo
 libraries/libapparmor/src/private.lo
 libraries/libapparmor/src/scanner.lo
 libraries/libapparmor/src/libapparmor.pc
 libraries/libapparmor/src/libapparmor.la
 libraries/libapparmor/src/libimmunix.la
 libraries/libapparmor/src/grammar.c
@@ -70,12 +79,18 @@ libraries/libapparmor/swig/perl/Makefile
 libraries/libapparmor/swig/perl/Makefile.PL
 libraries/libapparmor/swig/perl/Makefile.in
 libraries/libapparmor/swig/perl/Makefile.perl
 libraries/libapparmor/swig/perl/MYMETA.json
 libraries/libapparmor/swig/perl/MYMETA.yml
 libraries/libapparmor/swig/perl/blib
 libraries/libapparmor/swig/perl/libapparmor_wrap.c
 libraries/libapparmor/swig/perl/pm_to_blib
 libraries/libapparmor/swig/python/__init__.py
 libraries/libapparmor/swig/python/build/
 libraries/libapparmor/swig/python/libapparmor_wrap.c
 libraries/libapparmor/swig/python/Makefile
 libraries/libapparmor/swig/python/Makefile.in
 libraries/libapparmor/swig/python/setup.py
 libraries/libapparmor/swig/python/test/Makefile
 libraries/libapparmor/swig/ruby/Makefile
 libraries/libapparmor/swig/ruby/Makefile.in
 libraries/libapparmor/testsuite/.deps
--- a/2
+++ b/2
@@ -14,7 +14,7 @@ DIRS=parser \
 #REPO_URL?=lp:apparmor
 # --per-file-timestamps is failing over SSH, https://bugs.launchpad.net/bzr/+bug/1257078
-REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
+REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/2.9
 # alternate possibilities to export from
 #REPO_URL=.
 #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
--- a/20
+++ b/20
@@ -62,14 +62,13 @@ the following order.
 libapparmor:
 $ cd ./libraries/libapparmor
 $ sh ./autogen.sh
-$ sh ./configure --prefix=/usr --with-perl	# see below
+$ sh ./configure --prefix=/usr --with-perl --with-python # see below
 $ make
 $ make check
 $ make install
-[optional arguments to libapparmor's configure include --with-python
+[an additional optional argument to libapparmor's configure is --with-ruby, to
- and --with-ruby, to generate python and ruby bindings to libapparmor,
+generate Ruby bindings to libapparmor.]
 respectively.]
 Utilities:
@@ -148,10 +147,7 @@ $ make check
 Utils
 -----
-There are some simple tests available, including basic perl syntax
+Tests for the Python utilities exist in the test/ subdirectory.
 checks for the perl modules and executables. There are also minimal
 checks on the python utilities and python-based tests in the test/
 subdirectory.
 $ cd utils
 $ make check
@@ -207,13 +203,9 @@ The AppArmor userspace utilities are written with some assumptions about
 installed and available versions of other tools. This is a (possibly
 incomplete) list of known version dependencies:
-AppArmor.pm (used by aa-audit, aa-autodep, aa-complain, aa-disable,
+The Python utilities require a minimum of Python 2.7 or Python 3.3.
 aa-enforce, aa-genprof, aa-logprof, aa-unconfined) requires minimum
 Perl 5.10.1.
-Python scripts require a minimum of Python 2.7. Some utilities as well
+Some utilities (aa-exec, aa-notify and aa-decode) require Perl 5.10.1 or newer.
 as some of the parser test scripts may require Python 3.3. Python 3.0,
 3.1, and 3.2 are largely untested.
 Most shell scripts are written for POSIX-compatible sh. aa-decode expects
 bash, probably version 3.2 and higher.
--- a/changehat/mod_apparmor/apache2-mod_apparmor.spec.in
+++ b/changehat/mod_apparmor/apache2-mod_apparmor.spec.in
@@ -1,215 +0,0 @@
 # ----------------------------------------------------------------------
 #    Copyright (c) 2004, 2005 NOVELL (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program; if not, contact Novell, Inc.
 # ----------------------------------------------------------------------
 # norootforbuild
 # Check first to see if distro is already defined.
 # I hate rpm macros
 %if ! %{?distro:1}0
 %if %{?suse_version:1}0
  %define distro suse
 %endif
 %if %{?fedora_version:1}0
  %define distro redhat
 %endif
 %endif
 %if ! %{?distro:1}0
  %define distro suse
 %endif
 # this is required to be underscore
 %define module_name mod_apparmor
 Summary: AppArmor module for apache2.
 Name: apache2-mod_apparmor
 Version: @@immunix_version@@
 Release: @@repo_version@@
 Group: Applications/System
 Source0: %{name}-%{version}-@@repo_version@@.tar.gz
 License: LGPL
 BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build
 Url: http://forge.novell.com/modules/xfmod/project/?apparmor
 Obsoletes: mod_change_hat mod-change-hat mod-apparmor apache2-mod-apparmor
 Provides: mod_change_hat mod-change-hat mod-apparmor apache2-mod-apparmor
 %if %{distro} == "suse"
 %if 0%{?suse_version} < 1010
 BuildRequires: libimmunix
 %else
 %if 0%{?suse_version} < 1030
 BuildRequires: libapparmor
 %else
 BuildRequires: libapparmor-devel
 %endif
 %endif
 %else
 BuildRequires: libapparmor-devel
 %endif
 %if %{distro} == "suse"
 %define apxs /usr/sbin/apxs2
 %define apache_mmn        %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
 Prereq: apache2-prefork
 Prereq: apparmor-parser
 BuildRequires: apache2-devel
 Requires:     apache2 %{apache_mmn}
 %else
 %if %{distro} == "redhat" || %{distro} == "rhel4"
 %define apxs /usr/sbin/apxs
 Prereq: httpd
 BuildRequires: httpd-devel
 %endif
 %endif
 %define module_path 		%(%{apxs} -q LIBEXECDIR)
 %define apache_sysconfdir	%(%{apxs} -q SYSCONFDIR)
 %description
 apache2-mod_apparmor adds support to apache2 to provide AppArmor confinement
 to individual cgi scripts handled by apache modules like mod_php and
 mod_perl.
 This package is part of a suite of tools that used to be named SubDomain.
 %prep
 %setup -q
 %build
 make APXS=%{apxs}
 %install
 make install DESTDIR=${RPM_BUILD_ROOT} DISTRO=%{distro} MANDIR=%{_mandir}
 %if %{distro} == "suse"
       mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/apache2-prefork/
       ln -s %{module_path}/%{module_name}.so ${RPM_BUILD_ROOT}%{_libdir}/apache2-prefork/%{module_name}.so
 %else 
  %if %{distro} == "redhat" || %{distro} == "rhel4"
  	mkdir -p ${RPM_BUILD_ROOT}/%{apache_sysconfdir}.d/
 	install -m 644 %{module_name}.conf ${RPM_BUILD_ROOT}/%{apache_sysconfdir}.d/
  %endif
 %endif
 %clean 
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root)
 %{module_path}
 %if %{distro} == "suse"
   %{_libdir}/apache2-prefork/%{module_name}.so
 %else
  %if %{distro} == "redhat" || %{distro} == "rhel4"
    %{apache_sysconfdir}.d/%{module_name}.conf
  %endif
 %endif
 %doc COPYING.LGPL
 %{_mandir}/man*/*
 %doc *.[0-9].html
 %doc common/apparmor.css
 %post
 %if %{distro} == "suse"
  /usr/sbin/a2enmod apparmor
 %endif
 %preun
 %if %{distro} == "suse"
  if [ $1 = 0 ] ; then
    /usr/sbin/a2dismod apparmor
  fi
 %endif
 %triggerpostun -- mod_change_hat mod-change-hat
 %if %{distro} == "suse"
  /usr/sbin/a2enmod apparmor
 %endif
 %changelog
 * Sun Jul 29 2007 - sbeattie@suse.de
 - Convert builddep on libapparmor to libapparmor-devel
 * Tue Apr  3 2007 - sbeattie@suse.de
 - Add mod_apparmor manpage to package
 * Wed Sep 06 2006 - poeml@suse.de
 - rename to apache2-mod_apparmor
 - use a2enmod instead of frob_sysconfig
 - remove SuSEconfig calls
 * Fri May 26 2006 - schwab@suse.de
 - Don't strip binaries.
 * Wed Apr 12 2006 - Steve Beattie <sbeattie@suse.de>
 - Move to novell forge svn repo; fix build issue with new layout
 * Thu Mar 30 2006 - Seth Arnold <seth.arnold@suse.de> 2.0-7.2
 - Relicense to LGPL
 * Mon Jan 30 2006 - Steve Beattie <sbeattie@suse.de> 2.0-7.1
 - Renamed apache config options:
 	ImmhatName -> AAHatName
 	ImmDefaultHatName -> AADefaultHatName
 * Mon Jan 30 2006 - poeml@suse.de
 - removed libapr-util1-devel from BuildRequires (apache2-devel does
  require it)
 * Fri Jan 27 2006 Steve Beattie <sbeattie@suse.de> 2.0-6.1
 - No more neededforbuild in STABLE
 * Wed Jan 25 2006 Steve Beattie <sbeattie@suse.de> 2.0-6
 - Fix linking against libapparmor.so
 * Sun Jan  8 2006 Steve Beattie <sbeattie@suse.de> 2.0-5
 - More SUSE autobuild fixups.
 * Wed Jan  4 2006 Steve Beattie <sbeattie@suse.de> 2.0-4
 - Fixup SUSE autobuild require on apache-devel-packages
 - Add svn revision to the source tarball
 * Sun Dec 18 2005 Steve Beattie <sbeattie@novell.com> 2.0-3
 - Include symlink in %{_libdir}/apache2-prefork/
 * Thu Dec  8 2005 Steve Beattie <sbeattie@novell.com> 2.0-2
 - Rename to apache2-mod-apparmor for consistency w/SUSE packages
 - Rename module to mod_apparmor.so
 * Wed Dec  7 2005 Steve Beattie <sbeattie@novell.com> 2.0-1
 - Reset version for inclusion in SUSE autobuild
 * Mon Dec  5 2005 Steve Beattie <sbeattie@novell.com> 1.99-9
 - Rename package to mod-apparmor
 * Wed Nov 30 2005 Steve Beattie <sbeattie@novell.com> 1.99-8
 - Minor packaging cleanups
 * Wed Nov 30 2005 Steve Beattie <sbeattie@novell.com> 1.99-7_imnx
 - Convert license to GPL
 * Thu Jun 23 2005 Steve Beattie <sbeattie@novell.com> 1.99-6_imnx
 - Add trigger for mod_change_hat => mod-change-hat upgrades
 - Don't run SuSEconfig on SuSE 9.3 or newer
 * Mon May 23 2005 Steve Beattie <sbeattie@novell.com> 1.99-5_imnx
 - Fix package uninstall on RHEL4.
 * Fri Mar 11 2005 Steve Beattie <steve@immunix.com> 1.99-4_imnx
 - Rename to be consistent with other packages
 * Fri Feb 18 2005 Steve Beattie <steve@immunix.com> 1.99-3_imnx
 - Cleanup some non-64bit clean code, sigh.
 - Fix install locations on 64-bit platform.
 * Fri Feb  4 2005 Seth Arnold <sarnold@immunix.coM> 1.99-1_imnx
 - Reversion to 1.99
 * Fri Nov 12 2004 Steve Beattie <steve@immunix.com> 1.2-2_imnx
 - Add configuration file for redhat build
 * Tue Oct 12 2004 Steve Beattie <steve@immunix.com> 1.2-1_imnx
 - Bump version after shass-1.1 branched off
 * Mon Sep 20 2004 Dominic Reynolds <dominic@immunix.com> 1.0-7_imnx_(redhat|suse)
 - Modified to build separate versions for suse/redhat (EL3).
 - Note:RH version does not currently setup the module configuraiton
 - in apache.
 * Tue Aug 31 2004 Steve Beattie <steve@immunix.com> 1.0-6_imnx
 - Got location and per server config directives working somewhat
  correctly :-)
 - copyright fixups.
 * Fri Aug 20 2004 Steve Beattie <steve@immunix.com> 1.0-5_imnx
 - added support for <Location> hatname </Location>
 * Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-4_imnx
 - reduced loglevel of some debug messages
 - add change_hat to list of apache modules
 * Tue Jul 20 2004 Steve Beattie <steve@immunix.com> 1.0-2_imnx
 - got module actually working, at least in simple cases.
 * Thu Jul 15 2004 Steve Beattie <steve@immunix.com> 1.0-1_imnx
 - Initial package creation.
--- a/changehat/pam_apparmor/Makefile
+++ b/changehat/pam_apparmor/Makefile
@@ -60,7 +60,7 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
  AA_LINK_FLAGS = -L$(LIBAPPARMOR_PATH)
  AA_LDLIBS = -lapparmor
 endif
-EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall $(LIBAPPARMOR_INCLUDE)
+EXTRA_CFLAGS=$(CFLAGS) $(CPPFLAGS) -fPIC -shared -Wall $(LIBAPPARMOR_INCLUDE)
 LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS)
 LIBS=-lpam $(AA_LDLIBS)
 OBJECTS=${NAME}.o get_options.o
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@@ -111,6 +111,7 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 					  sizeof(magic_token));
 		if (retval < 0) {
 			pam_syslog(pamh, LOG_ERR, "Can't read from /dev/urandom\n");
 			close(fd);
 			return PAM_PERM_DENIED;
 		}
 	} while ((magic_token == 0) || (retval != sizeof(magic_token)));
--- a/changehat/pam_apparmor/pam_apparmor.spec.in
+++ b/changehat/pam_apparmor/pam_apparmor.spec.in
@@ -1,83 +0,0 @@
 #
 # spec file for package pam_apparmor (Version 2)
 #
 # Copyright (c) 2005 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
 # Please submit bugfixes or comments via http://www.suse.de/feedback/
 #
 # norootforbuild
 Name:         pam_apparmor
 License:      GPL
 Group:        Productivity/Security
 Autoreqprov:  on
 Version:      @@immunix_version@@
 Release:      @@repo_version@@
 Summary:      Pam module to add AppArmor change_hat functionality
 URL:          http://forge.novell.com/modules/xfmod/project/?apparmor
 Source:       pam_apparmor-%{version}-@@repo_version@@.tar.gz
 BuildRoot:    %{_tmppath}/%{name}-%{version}-build
 BuildRequires: pam-devel
 Requires:     pam
 Prereq:       pam
 %if %{?suse_version:1}0
 %if 0%{?suse_version} < 1030
 BuildRequires: libapparmor
 %else
 BuildRequires: libapparmor-devel
 %endif
 %else
 BuildRequires: libapparmor-devel
 %endif
 %description
 The pam_apparmor module provides the means for any pam applications that
 call pam_open_session() to automatically perform an AppArmor change_hat
 operation in order to switch to a user-specific security policy.
 Authors:
 --------
    Jesse Michael jmichael@suse.de
 %prep
 %setup -q
 %build
 make CFLAGS="${RPM_OPT_FLAGS}"
 %install
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 make install DESTDIR=${RPM_BUILD_ROOT} SECDIR=${RPM_BUILD_ROOT}/%{_lib}/security
 %clean
 [ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
 %files
 %defattr(444,root,root,755)
 %doc README COPYING
 %attr(555,root,root) /%{_lib}/security/pam_apparmor.so
 %changelog -n pam_apparmor
 * Tue Oct 31 2006 Jesse Michael <jmichael@suse.de>
 - Add debug option
 * Tue Oct 31 2006 Steve Beattie <sbeattie@suse.de>
 - Add configuration options to order attempted hat changes
 * Wed Oct 25 2006 Steve Beattie <sbeattie@suse.de>
 - remove auto-editing of pam's common-session
 - honor RPM's CFLAGS when building
 - add license (same as Linux PAM package).
 * Thu Sep 14 2006 Jesse Michael <jmichael@suse.de>
 - header comment was incorrect
 - use pam_get_user() instead of pam_get_item()
 - fix read from urandom if 0
 * Fri Jan 13 2006 Steve Beattie <sbeattie@suse.de>
 - Add svn repo number to tarball
 * Fri Jan 13 2006 Jesse Michael <jmichael@suse.de>
 - Make magic tokens harder to guess by pulling them from /dev/urandom
 * Wed Dec 21 2005 - jmichael@suse.de
 - initial
--- a/changehat/tomcat_apparmor/tomcat_5_0/tomcat_apparmor.spec.in
+++ b/changehat/tomcat_apparmor/tomcat_5_0/tomcat_apparmor.spec.in
@@ -1,85 +0,0 @@
 # ----------------------------------------------------------------------
 #    Copyright (c) 2006 NOVELL (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program; if not, contact Novell, Inc.
 # ----------------------------------------------------------------------
 # norootforbuild
 # Check first to see if distro is already defined.
 %if ! %{?distro:1}0
  %define distro suse
 %endif
 %if %{distro} == "suse"
 %define CATALINA_HOME /usr/share/tomcat5
 %endif 
 %define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
 %define JNI_SO libJNIChangeHat.so
 %define JAR_FILE changeHatValve.jar
 Summary: Tomcat 5 plugin for AppArmor change_hat
 Name: tomcat_apparmor
 Version: @@immunix_version@@
 Release: @@repo_version@@
 Group:  System/Libraries
 Source0: %{name}-%{version}-@@repo_version@@.tar.gz
 License: LGPL
 BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build
 Url: http://developer.novell.com/wiki/index.php/Novell_AppArmor
 Prereq: tomcat5, servletapi5, libapparmor
 BuildRequires: tomcat5, servletapi5 ant, java, libapparmor, java2-devel-packages, apparmor-docs
 Provides: tomcat_apparmor
 %description
 tomcat_apparmor - is a plugin for Apache Tomcat version 5.x that provides
 support for AppArmor change_hat for creating AppArmor containers that are
 bound to discrete elements of processing within the Tomcat servlet 
 container. The AppArmor containers, or "hats", can be created for invidual
 URL processing or per servlet. 
 %prep
 %setup -q 
 %build
 [ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
 ant -Ddist=${RPM_BUILD_DIR}/%{name}-%{version} -Dtarget=1.4 jar jni_so
 %install
 ant -Ddist=${RPM_BUILD_DIR}/%{name}-%{version} -Dversion=%{version} -Drelease=%{release} -Dcatalina_home=%{CATALINA_HOME} -Dinstall_root=${RPM_BUILD_ROOT} -Dinstall_lib=%{_lib} install_jar install_jni
 mkdir -p ${RPM_BUILD_ROOT}%{APPARMOR_DOC_DIR}
 install ${RPM_BUILD_DIR}/%{name}-%{version}/README.tomcat_apparmor  ${RPM_BUILD_ROOT}%{APPARMOR_DOC_DIR}
 %clean 
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root)
 %{CATALINA_HOME}/server/lib/%{JAR_FILE}
 /%{_lib}/lib*
 /%{_libdir}/lib*
 %{APPARMOR_DOC_DIR}/README.tomcat_apparmor
 %post
 ldconfig 
 %postun
 ldconfig 
 %changelog
 * Mon Oct 9 2006 - dreynolds@suse.de 
 - Initial package creation.
--- a/changehat/tomcat_apparmor/tomcat_5_5/tomcat_apparmor.spec.in
+++ b/changehat/tomcat_apparmor/tomcat_5_5/tomcat_apparmor.spec.in
@@ -1,86 +0,0 @@
 # ----------------------------------------------------------------------
 #    Copyright (c) 2006 NOVELL (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program; if not, contact Novell, Inc.
 # ----------------------------------------------------------------------
 # norootforbuild
 # Check first to see if distro is already defined.
 %if ! %{?distro:1}0
  %define distro suse
 %endif
 %if %{distro} == "suse"
 %define CATALINA_HOME /usr/share/tomcat55
 %endif 
 %define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
 %define JNI_SO libJNIChangeHat.so
 %define JAR_FILE changeHatValve.jar
 Summary: Tomcat 5 plugin for AppArmor change_hat
 Name: tomcat_apparmor
 Version: @@immunix_version@@
 Release: @@repo_version@@
 Group:  System/Libraries
 Source0: %{name}-%{version}-@@repo_version@@.tar.gz
 License: LGPL
 BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build
 Url: http://developer.novell.com/wiki/index.php/Novell_AppArmor
 Prereq: tomcat55, servletapi5
 BuildRequires: tomcat55, servletapi5, ant, java, libapparmor-devel, java2-devel-packages, apparmor-docs
 %description
 tomcat_apparmor - is a plugin for Apache Tomcat version 5.x that provides
 support for AppArmor change_hat for creating AppArmor containers that are
 bound to discrete elements of processing within the Tomcat servlet 
 container. The AppArmor containers, or "hats", can be created for invidual
 URL processing or per servlet. 
 %prep
 %setup -q 
 %build
 [ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
 ant -Dinstall_lib=%{_lib} -Dcatalina_home=%{CATALINA_HOME} -Ddist=${RPM_BUILD_DIR}/%{name}-%{version} -Dtarget=1.4 jar jni_so
 %install
 ant -Ddist=${RPM_BUILD_DIR}/%{name}-%{version} -Dversion=%{version} -Drelease=%{release} -Dcatalina_home=%{CATALINA_HOME} -Dinstall_root=${RPM_BUILD_ROOT} -Dinstall_lib=%{_lib} install_jar install_jni
 mkdir -p ${RPM_BUILD_ROOT}%{APPARMOR_DOC_DIR}
 install ${RPM_BUILD_DIR}/%{name}-%{version}/README.tomcat_apparmor  ${RPM_BUILD_ROOT}%{APPARMOR_DOC_DIR}
 %clean 
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root)
 %{CATALINA_HOME}/server/lib/%{JAR_FILE}
 /%{_lib}/lib*
 /%{_libdir}/lib*
 doc %attr(0644,root,root) %{APPARMOR_DOC_DIR}/README.tomcat_apparmor
 %post
 ldconfig 
 %postun
 ldconfig 
 %changelog
 * Mon Jul 20 2007 - sbeattie@suse.de
 - Convert builddep on libapparmor to libapparmor-devel
 * Mon Oct 9 2006 - dreynolds@suse.de 
 - Initial package creation.
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -172,7 +172,7 @@ $(BUILDRPMSUBDIRS):
 .PHONY: _clean
 .SILENT: _clean
 _clean:
-	-rm -f ${NAME}-${VERSION}-*.tar.gz
+	-[ -z "${NAME}" ] || rm -f ${NAME}-${VERSION}-*.tar.gz
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
 # =====================
@@ -198,7 +198,7 @@ list_capabilities: /usr/include/linux/capability.h
 # to mediate. We use PF_ here since that is what is required in
 # bits/socket.h, but we will rewrite these as AF_.
-FILTER_FAMILIES=PF_UNSPEC PF_UNIX
+FILTER_FAMILIES=PF_UNIX
 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
--- a/common/Version
+++ b/common/Version
@@ -1 +1 @@
-2.8.98
+2.9.3
--- a/documentation/AppArmor
+++ b/documentation/AppArmor
--- a/documentation/AppArmor
+++ b/documentation/AppArmor
--- a/documentation/Techdoc
+++ b/documentation/Techdoc
--- a/libraries/libapparmor/configure.ac
+++ b/libraries/libapparmor/configure.ac
@@ -14,8 +14,19 @@ PKG_PROG_PKG_CONFIG
 AC_PATH_PROG([SWIG], [swig])
-sinclude(m4/ac_pod2man.m4)
+AC_MSG_CHECKING([whether the libapparmor man pages should be generated])
-PROG_POD2MAN
+AC_ARG_ENABLE(man_pages,
 [AS_HELP_STRING([--enable-man-pages], [generate the libapparmor man pages [[default=yes]]])],
 [AC_MSG_RESULT($enableval)],
 [enable_man_pages=yes]
 [AC_MSG_RESULT($enable_man_pages)])
 if test "$enable_man_pages" = "yes"; then
   sinclude(m4/ac_podchecker.m4)
   PROG_PODCHECKER
   sinclude(m4/ac_pod2man.m4)
   PROG_POD2MAN
 fi
 AC_MSG_CHECKING([whether python bindings are enabled])
 AC_ARG_WITH(python,
@@ -32,7 +43,7 @@ fi
 AC_MSG_CHECKING([whether perl bindings are enabled])
 AC_ARG_WITH(perl,
-[ --with-perl           enable the perl wrapper [[default=no]]],
+[  --with-perl             enable the perl wrapper [[default=no]]],
 [AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
 if test "$with_perl" = "yes"; then
   test -z "$SWIG" && AC_MSG_ERROR([swig is required when enabling perl bindings])
@@ -45,7 +56,7 @@ fi
 AC_MSG_CHECKING([whether ruby bindings are enabled])
 AC_ARG_WITH(ruby,
-[ --with-ruby           enable the ruby wrapper [[default=no]]],
+[  --with-ruby             enable the ruby wrapper [[default=no]]],
 [AC_MSG_RESULT($withval)], [AC_MSG_RESULT(no)])
 if test "$with_ruby" = "yes"; then
   test -z "$SWIG" && AC_MSG_ERROR([swig is required when enabling ruby bindings])
@@ -54,6 +65,7 @@ if test "$with_ruby" = "yes"; then
 fi
 AM_CONDITIONAL(ENABLE_MAN_PAGES, test x$enable_man_pages = xyes)
 AM_CONDITIONAL(HAVE_PYTHON, test x$with_python = xyes)
 AM_CONDITIONAL(HAVE_PERL, test x$with_perl = xyes) 
 AM_CONDITIONAL(HAVE_RUBY, test x$with_ruby = xyes)
--- a/libraries/libapparmor/doc/Makefile.am
+++ b/libraries/libapparmor/doc/Makefile.am
@@ -3,8 +3,7 @@
 POD2MAN = pod2man
 PODCHECKER = podchecker
-# No perl, no manpages
+if ENABLE_MAN_PAGES
 if HAVE_PERL
 man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2
--- a/libraries/libapparmor/doc/aa_change_profile.pod
+++ b/libraries/libapparmor/doc/aa_change_profile.pod
@@ -40,16 +40,15 @@ An AppArmor profile applies to an executable program; if a portion of
 the program needs different access permissions than other portions,
 the program can "change profile" to a different profile. To change into a
 new profile, it can use the aa_change_profile() function to do so. It passes
-in a pointer to the I<profile> to transition to. Transitioning to another
+in a pointer to the I<profile> to transition to. Confined programs wanting to
-profile via aa_change_profile() is permanent and the process is not
+use aa_change_profile() need to have rules permitting changing to the named
-permitted to transition back to the original profile. Confined programs
+profile. See apparmor.d(8) for details.
 wanting to use aa_change_profile() need to have rules permitting changing
 to the named profile. See apparmor.d(8) for details.
 If a program wants to return out of the current profile to the
-original profile, it should use aa_change_hat(2) instead.
+original profile, it may use aa_change_hat(2). Otherwise, the two profiles must
 have rules permitting changing between the two profiles.
-Open file descriptors are not remediated after a call to aa_change_profile()
+Open file descriptors may not be remediated after a call to aa_change_profile()
 so the calling program must close(2) open file descriptors to ensure they
 are not available after calling aa_change_profile(). As aa_change_profile()
 is typically used just before execve(2), you may want to use open(2) or
@@ -84,8 +83,8 @@ Insufficient kernel memory was available.
 =item B<EPERM>
-The calling application is not confined by apparmor, or the no_new_privs
+The calling application is confined by apparmor and the no_new_privs bit is
-bit is set.
+set.
 =item B<EACCES>
--- a/libraries/libapparmor/libapparmor1.spec
+++ b/libraries/libapparmor/libapparmor1.spec
@@ -1,178 +0,0 @@
 #
 # spec file for package libapparmor
 #
 # norootforbuild
 %define _unpackaged_files_terminate_build 0
 Name:		libapparmor1
 Version:	2.5
 Release:	3.20070916
 License:	LGPL
 Group:		Development/Libraries/C and C++
 BuildRoot:	%{_tmppath}/%{name}-%{version}-build
 Source0:        %{name}-%{version}.tar.bz2
 BuildRequires:	swig gcc perl
 Provides:	libapparmor
 Provides:	libimmunix
 Obsoletes:	libapparmor
 Obsoletes:	libimmunix
 Summary: A utility library for AppArmor
 %define aalibversion 1.0.2
 %description
 -
 %package -n libapparmor-devel
 Requires:	%{name} = %{version}-%{release}
 Group:		Development/Libraries/C and C++
 Provides:	libapparmor:/usr/include/sys/apparmor.h
 Summary:	-
 %description -n libapparmor-devel
 -
 %post -n libapparmor-devel
 /sbin/ldconfig
 %postun -n libapparmor-devel
 /sbin/ldconfig
 %package -n perl-libapparmor
 Requires:	%{name} = %{version}
 Requires:	perl = %{perl_version}
 Group:		Development/Libraries/Perl
 Summary:	-
 %description -n perl-libapparmor
 -
 %prep
 %setup -q
 %build
 ./configure --prefix=%{_prefix} --libdir=%{_libdir} --with-perl
 make CFLAGS="${RPM_OPT_FLAGS}"
 %install
 make install DESTDIR="$RPM_BUILD_ROOT"
 mkdir ${RPM_BUILD_ROOT}/%{_lib}
 # this is really hacky
 rm ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so
 rm ${RPM_BUILD_ROOT}/%{_libdir}/libimmunix.so
 cp ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_lib}
 cp ${RPM_BUILD_ROOT}/%{_libdir}/libimmunix.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_lib}
 ln -s /%{_lib}/libapparmor.so.%{aalibversion} ${RPM_BUILD_ROOT}/%{_libdir}/libapparmor.so
 find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \;
 find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \;
 # create symlink for old change_hat(2) manpage
 ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2
 %clean
 rm -rf "$RPM_BUILD_ROOT"
 %post
 /sbin/ldconfig
 %postun
 /sbin/ldconfig
 %files
 %defattr(-,root,root)
 /%{_lib}/libapparmor.so.*
 /%{_lib}/libimmunix.so.*
 %files -n libapparmor-devel
 %defattr(-,root,root)
 %{_libdir}/libapparmor.so
 %{_libdir}/libapparmor.la
 %{_libdir}/libapparmor.a
 %{_libdir}/libimmunix.la
 %{_libdir}/libimmunix.a
 %doc %{_mandir}/man*/*
 %dir %{_includedir}/aalogparse
 %{_includedir}/sys/apparmor.h
 %{_includedir}/aalogparse/*
 %files -n perl-libapparmor
 %defattr(-,root,root)
 %dir %{perl_vendorarch}/auto/LibAppArmor
 %{perl_vendorarch}/auto/LibAppArmor/*
 %{perl_vendorarch}/LibAppArmor.pm
 %changelog
 * Sun Sep 16 2007 - sbeattie@suse.de
 - aalogparse: add support for type=15xx audit field
 - aalogparse: add support for audit messages thru syslog
 - aalogparse: reduce noise to stdout on syntax errors
 - aalogparse: add support for more missing message types
 - aalogparse: parse messages w/safe (hex) string encodings
 * Fri Aug 17 2007 - sbeattie@suse.de
 - Fix broken symlink for old change_hat(2) manpage
 * Wed Aug 15 2007 - sbeattie@suse.de
 - fix braindead symbol versioning issue with old version name
 - re-enable CFLAGS=RPM_OPT_FLAGS for build
 - convert change_hat(2) to aa_change_hat(2)
 - use 64bit magic token
 - add aa_change_profile(2) interface
 * Sat Jul 28 2007 - mbarringer@suse.de
 - Merged in libaalogparse to the library/package
 * Tue Apr  7 2007 - sbeattie@suse.de
 - Add change_hat manpage to package
 * Thu Jan 18 2007 - sbeattie@suse.de
 - Add a clean stage to remove buildroot to specfile
 * Fri Feb 17 2006 Seth Arnold <seth.arnold@suse.de> 2.0-4.1
 - use gettid() instead of /proc/self
 * Fri Feb 10 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.2
 - Use RPM_OPT_FLAGS
 - Fix installed library version to match specfile version
 * Wed Feb  1 2006 Steve Beattie <sbeattie@suse.de> 2.0-3.1
 - Fix prototype to match change_hat(2) manpage
 * Mon Jan 23 2006 Steve Beattie <sbeattie@suse.de> 2.0-3
 - Rename to libapparmor.so and apparmor.h
 * Thu Jan  5 2006 Steve Beattie <sbeattie@suse.de> 2.0-2
 - Add svn repo number to tarball
 * Wed Dec  7 2005 Steve Beattie <sbeattie@suse.de> 2.0-1
 - Reset version for inclusion is SUSE autobuild
 * Wed Dec  7 2005 Steve Beattie <sbeattie@suse.de> 1.99-8
 - Disable 32bit builds on 64bit platforms for now
 * Mon Dec  5 2005 Steve Beattie <sbeattie@suse.de> 1.99-7
 - Rename package to libapparmor
 * Wed Aug 10 2005 Steve Beattie <sbeattie@suse.de> 1.99-6_imnx
 - Cleanup some of the deprecated exported symbols
 * Thu Aug  4 2005 John Johansen <jjohansen@novell.com> 1.99-5_imnx
 - and -m31 flag for s390
 * Mon Jul 11 2005 Steve Beattie <sbeattie@novell.com> 1.99-4_imnx
 - get rid of libimmunix_post_upgrade
 - Re-license to LGPL
 - update description
 * Fri May 27 2005 Steve Beattie <steve@immunix.com> 1.99-3_imnx
 - Clear token buffer before freeing.
 - Error handling cleanup.
 * Fri Feb 18 2005 Steve Beattie <steve@immunix.com> 1.99-2_imnx
 - Use the right command for the 32bit env on 64bit platforms
 - Support for 64bit builds on systems with combined 32/64 support
 * Fri Feb  4 2005 Seth Arnold <sarnold@immunix.com> 1.99-1_imnx
 - Reversion to 1.99
 * Mon Nov  8 2004 Steve Beattie <steve@immunix.com> 1.2-3_imnx
 - Finish conversion to slack-capable infrastructure.
 * Thu Oct 28 2004 Steve Beattie <steve@immunix.com> 1.2-2_imnx
 - Added a 'make install' target for prelim slack support
 * Tue Oct 12 2004 Steve Beattie <steve@immunix.com> 1.2-1_imnx
 - Bump version after shass-1.1 branched off
 * Thu Sep 23 2004 Steve Beattie <steve@immunix.com> 1.0-13_imnx
 - Vastly simplify the string handling in change_hat().
 * Thu Sep  9 2004 Steve Beattie <steve@immunix.com> 1.0-12_imnx
 - Conditionalize group the package shows up in.
 * Thu Sep  9 2004 Steve Beattie <steve@immunix.com> 1.0-11_imnx
 - Fix so change_hat functions correctly even when the token is zero.
 * Thu Sep  2 2004 Steve Beattie <steve@immunix.com> 1.0-10_imnx
 - Added that it provides %{_prefix}/sbin/libimmunix_post_upgrade, this
  was somehow breaking yast.
 * Mon Aug 30 2004 Steve Beattie <steve@immunix.com> 1.0-9_imnx
 - Copyright cleanups.
 * Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-8_imnx
 - add basis for conditional distro support
 * Thu May  28 2004 Tony Jones <tony@immunix.com> 1.0-7_imnx
 - Add "changehat" command word to start of string written to /proc/pid/attr
--- a/libraries/libapparmor/m4/ac_pod2man.m4
+++ b/libraries/libapparmor/m4/ac_pod2man.m4
@@ -5,12 +5,7 @@ AC_DEFUN([PROG_POD2MAN],[
 The pod2man program was not found in the default path.  pod2man is part of
 Perl, which can be retrieved from:
-    http://www.perl.com/
+    https://www.perl.org
 The latest version at this time is 5.6.1; it is available packaged as the
 following archive:
    http://www.perl.com/CPAN/src/stable.tar.gz
 ])
   fi
 ])
--- a/libraries/libapparmor/m4/ac_podchecker.m4
+++ b/libraries/libapparmor/m4/ac_podchecker.m4
@@ -0,0 +1,11 @@
 AC_DEFUN([PROG_PODCHECKER],[
   AC_CHECK_PROG(PODCHECKER,podchecker,podchecker,no)
   if test "$PODCHECKER" = "no"; then
      AC_MSG_ERROR([
 The podchecker program was not found in the default path.  podchecker is part of
 Perl, which can be retrieved from:
    https://www.perl.org
 ])
   fi
 ])
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -26,9 +26,9 @@ INCLUDES = $(all_includes)
 # For more information, see:
 # http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 #
-AA_LIB_CURRENT = 2
+AA_LIB_CURRENT = 3
-AA_LIB_REVISION = 0
+AA_LIB_REVISION = 1
-AA_LIB_AGE = 1
+AA_LIB_AGE = 2
 SUFFIXES = .pc.in .pc
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -210,6 +210,8 @@ syslog_type:
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); free($4); }
 	| syslog_date TOK_ID TOK_SYSLOG_KERNEL TOK_AUDIT TOK_COLON key_type audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	| syslog_date TOK_ID TOK_SYSLOG_USER key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
 	;
--- a/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.err
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.err
--- a/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.in
@@ -0,0 +1 @@
 Dec  7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--- a/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out
+++ b/libraries/libapparmor/testsuite/test_multi/syslog_audit_02.out
@@ -0,0 +1,15 @@
 START
 File: syslog_audit_02.in
 Event type: AA_RECORD_ALLOWED
 Audit ID: 1417954745.397:82
 Operation: open
 Mask: r
 Denied Mask: r
 fsuid: 1000
 ouid: 0
 Profile: /home/simi/bin/aa-test
 Name: /usr/bin/
 Command: ls
 PID: 3231
 Epoch: 1417954745
 Audit subid: 82
--- a/libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.err
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.err
--- a/libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.in
@@ -0,0 +1 @@
 type=AVC msg=audit(1449442292.901:961): apparmor="ALLOWED" operation="change_hat" profile="/usr/sbin/httpd{,2}-prefork" pid=8527 comm="httpd-prefork" target="/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT"
--- a/libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_changehat_01.out
@@ -0,0 +1,11 @@
 START
 File: testcase_changehat_01.in
 Event type: AA_RECORD_ALLOWED
 Audit ID: 1449442292.901:961
 Operation: change_hat
 Profile: /usr/sbin/httpd{,2}-prefork
 Command: httpd-prefork
 Name2: /usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT
 PID: 8527
 Epoch: 1449442292
 Audit subid: 961
--- a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.err
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.err
--- a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.in
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.in
@@ -0,0 +1 @@
 Jul 25 15:02:00 redacted kernel: [  296.524447] audit: type=1400 audit(1437850920.403:64): apparmor="ALLOWED" operation="open" profile="/usr/sbin/vsftpd" name="/home/bane/foo" pid=1811 comm="vsftpd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
--- a/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.out
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.out
@@ -0,0 +1,15 @@
 START
 File: testcase_syslog_read.in
 Event type: AA_RECORD_ALLOWED
 Audit ID: 1437850920.403:64
 Operation: open
 Mask: r
 Denied Mask: r
 fsuid: 1000
 ouid: 1000
 Profile: /usr/sbin/vsftpd
 Name: /home/bane/foo
 Command: vsftpd
 PID: 1811
 Epoch: 1437850920
 Audit subid: 64
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -56,7 +56,7 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
 endif
 endif #CFLAGS
-EXTRA_CXXFLAGS = ${CFLAGS} ${CXX_WARNINGS} -std=gnu++0x -D_GNU_SOURCE
+EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x -D_GNU_SOURCE
 EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
 #LEXLIB	:= -lfl
@@ -216,7 +216,7 @@ parser_include.o: parser_include.c parser.h parser_include.h
 parser_merge.o: parser_merge.c parser.h profile.h
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
-parser_regex.o: parser_regex.c parser.h profile.h libapparmor_re/apparmor_re.h $(APPARMOR_H)
+parser_regex.o: parser_regex.c parser.h profile.h libapparmor_re/apparmor_re.h libapparmor_re/aare_rules.h $(APPARMOR_H)
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 parser_symtab.o: parser_symtab.c parser.h
@@ -373,6 +373,7 @@ clean: _clean
 	$(MAKE) -s -C $(AAREDIR) clean
 	$(MAKE) -s -C po clean
 	$(MAKE) -s -C tst clean
 	rm -f common
 .SILENT: dist_clean
 dist_clean:
--- a/parser/af_rule.cc
+++ b/parser/af_rule.cc
@@ -148,11 +148,14 @@ ostream &af_rule::dump_peer(ostream &os)
 ostream &af_rule::dump(ostream &os)
 {
-	os << dump_prefix(os);
+	dump_prefix(os);
 	os << af_name;
-	os << dump_local(os);
+	dump_local(os);
-	if (has_peer_conds())
+	if (has_peer_conds()) {
-		os << " peer=(" << dump_peer(os) << ")";
+		os << " peer=(";
 		dump_peer(os);
 		os  << ")";
 	}
 	os << ",\n";
 	return os;
--- a/parser/apparmor-parser.spec.in
+++ b/parser/apparmor-parser.spec.in
@@ -1,508 +0,0 @@
 # ----------------------------------------------------------------------
 #    Copyright (c) 2004, 2005, 2006 NOVELL (All rights reserved)
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
 #    License published by the Free Software Foundation.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program; if not, contact Novell, Inc.
 # ----------------------------------------------------------------------
 # norootforbuild
 # Check first to see if distro is already defined.
 # I hate rpm macros
 %if ! %{?distro:1}0
 %if %{?suse_version:1}0
  %define distro suse
 %endif
 %if %{?fedora_version:1}0
  %define distro redhat
 %endif
 %endif
 %if ! %{?distro:1}0
  %define distro suse
 %endif
 Summary: AppArmor userlevel parser utility.
 Name: apparmor-parser
 Version: @@immunix_version@@
 Release: @@repo_version@@
 Group: Applications/System
 Source0: %{name}-%{version}-@@repo_version@@.tar.gz
 License: GPL
 BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build
 Url: http://forge.novell.com/modules/xfmod/project/?apparmor
 Prereq: sed
 %if %{distro} == "suse"
 Prereq: %{insserv_prereq} aaa_base
 %endif
 BuildRequires: gcc-c++
 Obsoletes: subdomain_parser subdomain-parser
 Obsoletes: subdomain-parser-demo subdomain-parser-common subdomain-leaf-cert
 Obsoletes: libimnxcert
 Provides: subdomain_parser subdomain-parser
 Provides: subdomain-parser-demo subdomain-parser-common subdomain-leaf-cert
 Provides: libimnxcert
 %define apparmor_bin_prefix /lib/apparmor
 BuildRequires: bison flex latex2html w3m
 %if 0%{?suse_version} > 1020
 BuildRequires: texlive-latex
 %else
 BuildRequires: te_latex
 %endif
 %package -n apparmor-docs
 Summary: AppArmor documentation package
 Group: Applications/System
 Provides: subdomain-docs
 Obsoletes: subdomain-docs
 %description
 AppArmor Parser is a userlevel program that is used to load in program
 profiles to the AppArmor Security kernel module.
 This package is part of a suite of tools that used to be named SubDomain.
 %description -n apparmor-docs
 This package contains documentation for AppArmor.
 %prep
 %setup -q
 %build
 make clean all CFLAGS="${RPM_OPT_FLAGS}"
 make techdoc.txt
 %install
 make install DESTDIR=${RPM_BUILD_ROOT} \
 	     MANDIR=%{_mandir} \
 	     DISTRO=%{distro} \
 	     APPARMOR_BIN_PREFIX=${RPM_BUILD_ROOT}%{apparmor_bin_prefix}
 %clean
 [ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root)
 %doc README COPYING.GPL
 /sbin/apparmor_parser
 %dir %attr(-, root, root) /etc/apparmor
 %if %{distro} == "suse"
  /sbin/rcsubdomain
  /sbin/rcapparmor
  /etc/init.d/boot.apparmor
  /sbin/rcaaeventd
  /etc/init.d/aaeventd
 %else
  /etc/init.d/apparmor
  /etc/init.d/aaeventd
 %endif
 %config(noreplace) /etc/apparmor/subdomain.conf
 %config(noreplace) /etc/apparmor/parser.conf
 /var/lib/apparmor
 %dir %attr(-, root, root) %{apparmor_bin_prefix}
 %{apparmor_bin_prefix}/rc.apparmor.functions
 %{_prefix}/share/locale/*/*/apparmor-parser.mo
 %doc %{_mandir}/man*/*
 %files -n apparmor-docs
 %defattr(-,root,root)
 %doc *.[1-9].html
 %doc common/apparmor.css
 %doc techdoc.pdf techdoc/techdoc.html techdoc/techdoc.css techdoc.txt
 %pre
 %if %{distro} == "redhat" || %{distro} == "rhel4"
 if [ -f /etc/init.d/subdomain ] ; then
  chkconfig --del subdomain
 fi
 %endif
 %post
 %if %{distro} == "suse"
  # SUSE uses insserv
  # For package renaming from subdomain -> apparmor
  # we check the existence of the AppArmor 1.1 and 
  # AppArmor 1.2 based init script to help determine 
  # whether  we are upgrading
  SUBDOMAIN_PARSER_INSTALLED="no"
  if test -e /etc/init.d/boot.subdomain -o -e /etc/init.d/subdomain; then
    SUBDOMAIN_PARSER_INSTALLED="yes"
  fi
  if  test "$1" == 1  -a $SUBDOMAIN_PARSER_INSTALLED = "no"; then
    %{insserv_force_if_yast boot.apparmor}
  elif test -e /etc/rc.d/boot.d/S??boot.subdomain  -o \
            -e /etc/rc.d/boot.d/S??boot.apparmor  -o \
            -e /etc/rc.d/rc3.d/S??subdomain ; then
    %{insserv_force_if_yast boot.apparmor}
  else
    %{fillup_and_insserv -f boot.apparmor}
  fi
 %endif
 %if %{distro} == "redhat" || %{distro} == "rhel4"
  chkconfig --add apparmor
 %endif
 %if %{distro} == "slackware"
  if grep -qs "# BEGIN rc.subdomain INSERTION" /etc/rc.d/rc.M ; then true ; else
    %{apparmor_bin_prefix}/install/frob_slack_rc --init
  fi
  if grep -qs "# BEGIN rc.subdomain INSERTION" /etc/rc.d/rc.K ; then true ; else
    %{apparmor_bin_prefix}/install/frob_slack_rc --shutdown
  fi
 %endif
 %preun
 if [ "$1" = 0 ] ; then
 %if %{distro} == "suse"
  %{stop_on_removal aaeventd}
  %{stop_on_removal boot.apparmor}
 %endif
 %if %{distro} == "redhat" || %{distro} == "rhel4"
  chkconfig --del aaeventd
  chkconfig --del apparmor
 %endif
 fi
 %postun
 %if %{distro} == "suse"
  %{insserv_cleanup}
 %endif
 %changelog
 * Thu Jan 24 2008 - jjohansen@suse.de
 - Fix parser to be able to load policy for multiple versions of AppArmor.
 * Wed Oct 17 2007 - dominic_r@mercenarylinux.com
 - Maintenance branch for AppArmor 2.1
 * Mon Oct  1 2007 - steve@nxnw.org
 - Basic change_profile testcases, basic network rules testcases, testcases
 - around carat symbols and commas in file rules, and basic permission
 - modes first testcases from jjohansen@suse.de.
 * Mon Oct  1 2007 - steve@nxnw.org
 - lock mode bit tests from jjohansen@suse.de
 - Also, make 'check' toplevel target be an alias for 'tests'
 * Mon Oct  1 2007 - steve@nxnw.org
 - Append testcases from jjohansen@suse.de.
 * Fri Aug 31 2007 - sbeattie@suse.de
 - run initscript once on boot (suse only, #286749)
 * Fri Aug 17 2007 - sbeattie@suse.de
 - disable aaeventd before uninstall [#301418]
 * Fri Jul 27 2007 - sbeattie@suse.de
 - Allow inverted character classes in unquoted pathnames
 - Fix return code propogation in initscripts
 - Add change_profile support
 - Add basic network mediation
 - Add mediation modes for append-only and locks
 - Allow reverse ordered file permission rules
 * Sat Apr 21 2007 - aj@suse.de
 - Use texlive for building.
 * Fri Apr 13 2007 - sbeattie@suse.de
 - Resurrect apparmor-docs as subpackage of apparmor-parser
 - Add text version of techdoc
 * Wed Apr 11 2007 - sbeattie@suse.de
 - Include techdoc in package
 * Wed Apr  4 2007 - sbeattie@suse.de
 - rcapparmor: fix dpkg ignore check
 - rcapparmor: support apparmor built into kernel
 - rcapparmor: kill old cruft
 * Tue Apr  3 2007 - sbeattie@suse.de
 - Add manpages to package
 * Thu Mar 29 2007 - coolo@suse.de
 - BuildRequire flex and bison
 * Tue Mar 27 2007 - sbeattie@suse.de
 - Removed a couple of bashisms from initscripts
 * Fri Mar 23 2007 - sbeattie@suse.de
 - Added dfa matching code
 - add build dep on c++ compiler
 * Thu Jan 18 2007 - sbeattie@suse.de
 - Remove long obsolete editing of fstab
 * Tue Dec 12 2006 - sbeattie@suse.de
 - Fix from PLD people to make initscript more likely to work in other shells
 * Mon Nov 20 2006 - sbeattie@suse.de
 - use fclose();opendir() instead of fdopendir()
 - more translation updates
 - add defines for audit caps to compensate for older kernel headers
 * Fri Nov 10 2006 - sbeattie@suse.de
 - fix rc.aaeventd to depend on apparmor, not boot.apparmor (#214293)
 * Wed Nov  8 2006 - sbeattie@suse.de
 - Use kernel's capability defines rather than libcap
 * Wed Nov  8 2006 - ddrewelow@suse.de
 - pull translation updates from lcn
 * Wed Nov  8 2006 - jjohansen@suse.de
 - Add audit_write and audit_control capabilities (#218961)
 * Mon Nov  6 2006 - sbeattie@suse.de
 - /lib/lsb/init-functions provides killproc(), use it instead.
 * Sat Oct 28 2006 - olh@suse.de
 - boot.apparmor should start after boot.localfs (#215156)
 * Thu Oct 12 2006 - sbeattie@suse.de
 - get rid of /subdomain (#160020)
 * Tue Oct 10 2006 - sbeattie@suse.de
 - add support for #include'ing directories
 - updated i18n messages/other fixes
 * Fri Jul 28 2006 - olh@suse.de
 - make boot.localfs optional in boot.apparmor (#181972)
 * Mon Jun 05 2006 - sbeattie@suse.de
 - Add support for 'm' flag (mmap w/PROT_EXEC permission) (#175388)
 - Add Px and Ux flags to indicate to ld.so that sensitive environemnt
  variables should be filtered on exec() (#172061) The m, Px, and Ux
  flags are added in such a way that apparmor modules without
  corresponding support will just ignore them.
 - Fix segv if profiles directory does not exist (#160330)
 - Fix aaeventd initscript description (#172961)
 - Add check to verify module supports pcre
 - Add regression tests and run on every build
 - Other minor fixups
 * Fri May 26 2006 - schwab@suse.de
 - Don't strip binaries.
 * Thu Apr 27 2006 Steve beattie <sbeattie@suse.de>
 - Fix segv if profile dirs don't exist (#160330)
 * Tue Apr 11 2006 Steve Beattie <sbeattie@suse.de>
 - Move svn tree to novell forge; fixup build for new layout
 * Sat Apr 1 2006 Dominic Reynolds <dreynolds@suse.de> 2.0-7.5
 - Fix upgrade problems (#156990)
 * Wed Mar 15 2006 Steve Beattie <sbeattie@suse.de> 2.0-7.4
 - Obsoleted libimnxcert (#157450)
 * Fri Feb 10 2006 Steve Beattie <sbeattie@suse.de> 2.0-7.3
 - Filter multiple slashes and trailing slashes in pathnames
 - Use RPM_OPT_FLAGS
 - A few s/SubDomain/AppArmor/ fixups in error messages
 * Sun Feb  5 2006 Steve Beattie <sbeattie@suse.de> 2.0-7
 - Fix one last issue in initscript handling of whitespace (#141288)
 - Add libcap-devel dependency for newer SUSE distros
 - Fix shutting down aa-eventd
 - Add option to enable/disable aa-eventd
 - Disable owlsm warning if module doesn't support it
 * Fri Jan 27 2006 Steve Beattie <sbeattie@suse.de> 2.0-6
 - s/none/securityfs/ in the initscript
 - add support for if {} else if {}
 - rename initscript to rc.apparmor
 - support /etc/apparmor.d
 - add buildrequires on libcap-devel
 * Wed Jan 25 2006 Dominic Reynolds <dreynolds@suse.de> 2.0-5.1
 - Updated rc.subdomain.functions to reference newly named event daemon aa-eventd
 * Sun Jan 22 2006 Steve Beattie <sbeattie@suse.de> 2.0-5
 - convert to fillupand_insserv macro, reenable apparmor by default
 - add prereq on aaa_base
 - remove initscript dependency on boot.ldconfig
 - Don't edit fstab on newer suse releases
 - Add build dependency on libcap-devel
 * Tue Jan 10 2006 Steve Beattie <sbeattie@suse.de> 2.0-4
 - Add support for giving a filename on the parser command line
 - Some refactoring of code in prep for variable support.
 - Add svn repo to tarball
 - Rename service provided by initscript to apparmor
 - Initial set variable support
 - Restructure global policy list
 - Fix leaks found by valgrind
 - Restructure hats within profiles, detect duplicate hats
 - Add basic conditional statement support
 - Fix debug mode to not attempt to load policy
 - Fix initscript to handle profiles with spaces in their name #141288
 * Wed Dec 14 2005 Steve Beattie <sbeattie@suse.de> 2.0-3
 - Remove old-style change_hat definition support
 * Thu Dec  8 2005 Steve Beattie <sbeattie@suse.de> 2.0-2
 - Fix references to old package name in .po files
 * Wed Dec  7 2005 Steve Beattie <sbeattie@suse.de> 2.0-1
 - Reset version for inclusion in SUSE autobuild.
 * Wed Dec  7 2005 Steve Beattie <sbeattie@suse.de> 1.99-42
 - Fix initscript to work with securityfs
 * Wed Nov 30 2005 Steve Beattie <sbeattie@suse.de> 1.99-41
 - Rename package to apparmor-parser
 * Wed Nov 30 2005 Steve Beattie <sbeattie@suse.de> 1.99-40_imnx
 - Strip AALite.
 * Wed Nov 30 2005 Steve Beattie <sbeattie@suse.de> 1.99-39_imnx
 - Convert license to GPL
 * Tue Nov 29 2005 Steve Beattie <sbeattie@suse.de> 1.99-38_imnx
 - Make initscript use subdomain_status if available
 - Fixed up one last #include return code case
 - Stricter lexing on flags and hatnames
 - Fix -I to be additive, rather than reset include paths
 - Switch to lookup table for keywords in lexer
 - Remove deprecated code and interfaces
 - Fixup alignment warnings on ia64
 - bzero pcre structure before compiling regex fix
 - kill parser_sysctl.c, merged into parser_interface.c
 - Add some additional compiler warnings, if available
 - Clean up getopt_long handling
 - Add support for securityfs, --subdomainfs option
 * Thu Nov  3 2005 Steve Beattie <sbeattie@suse.de> 1.99-37_imnx
 - Fix up small signed/unsigned issue.
 * Mon Oct 31 2005 Steve Beattie <sbeattie@suse.de> 1.99-36_imnx
 - Fix for potential pcre problem: CAN-2005-2491 #106209
 * Thu Oct 27 2005 Steve Beattie <sbeattie@suse.de> 1.99-35_imnx
 - Fixed include handling to return an error code #129291
 * Wed Oct 26 2005 Steve Beattie <sbeattie@suse.de> 1.99-34_imnx
 - Merge fixes over from shass-1.2 branch:
  - make sd-event-dispatch.pl be under rcsubdomain control.
  - add reload, force-reload, and try-restart options to initscript
  - jj's fix for include handling
 * Wed Oct 19 2005 Steve Beattie <sbeattie@suse.de> 1.99-33_imnx
 - Fix up dumb termination error on getopt_long arg.
 * Tue Sep  6 2005 Seth Arnold <seth.arnold@suse.de> 1.99-32_imnx
 - move the abstractions/ and program-chunks/ to the profiles package
 * Fri Sep  2 2005 Steve Beattie <sbeattie@suse.de>
 - don't link full version against libimnxcert
 * Thu Sep  1 2005 Steve Beattie <sbeattie@suse.de> 1.99-26_imnx
 - Accept dos style line-endings.
 * Mon Aug 29 2005 Steve Beattie <sbeattie@suse.de> 1.99-25_imnx
 - Move subdomain to boot.subdomain to ensure earlier startup
 * Mon Aug 29 2005 Steve Beattie <sbeattie@suse.de> 1.99-24_imnx
 - add 'status' to initscript usage statement
 * Fri Aug 26 2005 Steve Beattie <sbeattie@suse.de> 1.99-23_imnx
 - Added common dependency on the subdomain-profiles package.
 * Wed Aug 24 2005 Steve Beattie <sbeattie@suse.de> 1.99-22_imnx
 - more merge from 1.2:
  - cleanup last of intl code changes
  - actually install rootcert.pem
  - Makefile cleanup
 * Wed Aug 24 2005 Steve Beattie <sbeattie@suse.de> 1.99-21_imnx
 - Merge from 1.2:
  - Allow debugging of profiles as non-root. 
  - Other locale cleanup.
  - use %{_prefix}
  - Use PERROR in more locations. 
  - Use a common po/Make.rules
  - Add beginnings of i18n support to the parser.
 * Tue Aug 23 2005 Steve Beattie <sbeattie@suse.de> 1.99-20_imnx
 - Fixup the rest of the libexec locations
 - Merge fixup from dreynolds:
  - Changed the bin_exec path to /usr/lib/subdomain from /usr/libexec/subdomain
 * Tue Aug 23 2005 Steve Beattie <sbeattie@suse.de> 1.99-19_imnx
 - switch to alternatives based selection between full and demo version
 * Wed Aug 10 2005 Steve Beattie <sbeattie@suse.de> 1.99-18_imnx
 - strip installed binaries
 * Tue Aug  9 2005 Steve Beattie <sbeattie@suse.de> 1.99-17_imnx
 - Fixup some message handling in the initscripts
 - Make demo package depend on meta-package subdomain-cert
 - keep buildcache quiet when reading from a pipe
 * Mon Aug 8 2005 Tony Jones <tonyj@suse.de> 1.99-16_imnx
 - Fix for bug#3105 aalite parser occasionally segfaults (free/zero cached cert)
 - Free certtree/cachelist (cache) when parser quits
 * Fri Jul 22 2005 Steve Beattie <sbeattie@novell.com> 1.99-16_imnx
 - Split out parser-demo and parser-common packages
 * Tue Jul 12 2005 Steve Beattie <sbeattie@novell.com> 1.99-15_imnx
 - First cut at /etc/init.d/subdomain status
 * Mon Jul 11 2005 Steve Beattie <sbeattie@novell.com> 1.99-14_imnx
 - Better error messages on stop when non-root.
 * Mon Jul 11 2005 Steve Beattie <sbeattie@novell.com> 1.99-13_imnx
 - More liberal parsing of /etc/fstab
 * Wed Jul  6 2005 Steve Beattie <sbeattie@novell.com> 1.99-12_imnx
 - Fixes from tonyj:
  - allow parser to bypass the cache
  - change buildcache to pass strict option to libimnxcert
 * Thu Jun 23 2005 Steve Beattie <sbeattie@novell.com> 1.99-11_imnx
 - Add trigger for upgrading from subdomain_parser to subdomain-parser
 * Wed Jun 22 2005 Steve Beattie <sbeattie@novell.com> 1.99-10_imnx
 - Add /etc/apparmor/certs/
 * Thu Jun 16 2005 Steve Beattie <sbeattie@novell.com> 1.99-9_imnx
 - Merge in the certificate handling code.
 - Merge in buildcache.
 * Fri May 20 2005 Steve Beattie <steve@immunix.com> 1.99-8_imnx
 - /etc/immunix -> /etc/apparmor
 * Mon Mar 29 2005 Steve Beattie <steve@immunix.com> 1.99-7_imnx
 - Don't statically link the parser.
 * Fri Mar 11 2005 Steve Beattie <steve@immunix.com> 1.99-6_imnx
 - Rename package to make it more consistent with the other packages.
 * Tue Mar  8 2005 Steve Beattie <steve@immunix.com> 1.99-5_imnx
 - Mark subdomain.conf as a config file. Sigh.
 - Move subdomain.conf to /etc/immunix, and fix initscripts to deal.
 * Sun Feb 20 2005 Seth Arnold <sarnold@immunix.com> 1.99-4_imnx
 - internal cleanups
 * Fri Feb 11 2005 Steve Beattie <steve@immunix.com> 1.99-3_imnx
 - Duh, reconfigure owlsm on restart as well, plus include updates
 * Mon Feb  7 2005 Steve Beattie <steve@immunix.com> 1.99-2_imnx
 - Add ability to configure owlsm in /etc/subdomain.conf
 * Fri Feb  4 2005 Seth Arnold <sarnold@immunix.coM> 1.99-1_imnx
 - Reversion to 1.99
 * Tue Jan 11 2005 Seth Arnold <sarnold@immunix.com> 1.2-16_imnx
 - Add some 64-bit paths to profiles
 * Wed Nov 17 2004 Steve Beattie <steve@immunix.com> 1.2-15_imnx
 - Sigh, rpm 4.0.3 doesn't support nest if's > 2 deep.
 - Fixups so package builds on RHEL3
 - eliminate dupe abstraction/chunks.
 * Mon Nov 15 2004 Seth Arnold <sarnold@immunix.com> 1.2-14_imnx
 - remove generic inherit executable support in apache's DEFAULT_URI
 * Fri Nov 12 2004 Steve Beattie <steve@immunix.com> 1.2-13_imnx
 - Fix to rc.subdomain.functions (bug #2776)
 * Fri Nov 12 2004 Seth Arnold <sarnold@immunix,com> 1.2-12_imnx
 - gratuitious version bump to add changelog entry to apologize for the
  missing changelog entry two days earlier -- postfix profile fixes
 * Thu Nov 10 2004 Steve Beattie <steve@immunix.com> 1.2-11_imnx
 - Use make install to install the abstractions and chunks.
 * Wed Nov 10 2004 Steve Beattie <steve@immunix.com> 1.2-10_imnx
 - Refactored the initscripts
 * Tue Nov  9 2004 Steve Beattie <steve@immunix.com> 1.2-9_imnx
 - More slack stuff.
 * Sun Nov  7 2004 Steve Beattie <steve@immunix.com> 1.2-8_imnx
 - Initial infrastructure support for slack.
 * Fri Nov  5 2004 Seth Arnold <sarnold@immunix.com> 1.2-7_imnx
 - procmail and postfix additions
 * Fri Oct 29 2004 Seth Arnold <sarnold@immunix.com> 1.2-6_imnx
 - postfix proxymap
 * Tue Oct 26 2004 Seth Arnold <sarnold@immunix.com> 1.2-5_imnx
 - typo fix in initscrpit
 * Tue Oct 26 2004 Seth Arnold <sarnold@immunix.com> 1.2-3_imnx
 - new netdomain rules for squid, open all outgoing for ftp, add another
  specific rule for another web port.
 * Tue Oct 19 2004 Seth Arnold <sarnold@immunix.com> 1.2-3_imnx
 - setgid,setuid ngroups_max for postfix-bounce, private/bounce for qmgr
 * Wed Oct 13 2004 Seth Arnold <sarnold@immunix.com> 1.2-2_imnx
 - remove program-chunks/apache-subprofiles
 * Tue Oct 12 2004 Steve Beattie <steve@immunix.com> 1.2-1_imnx
 - Bump rev after shass-1.1 branch
 * Tue Oct  5 2004 Seth Arnold <sarnold@immunix.com> 1.0-47_imnx
 - restructure directories
 * Tue Sep 28 2004 John Johansen <johansen@immunix.com> 1.0-46_imnx
 - fix incompatability between new hats and old interface
 * Mon Sep 27 2004 John Johansen <johansen@immunix.com> 1.0-45_imnx
 - add quoted rules
 * Wed Sep 22 2004 John Johansen <johansen@immunix.com> 1.0-44_imnx
 - fix buffer resizing bug
 - reduce amount of redundancy in passed data
 - split pcre regex, tail globs, and basic file rules to enable future
  kernel optimization
 * Fri Sep 17 2004 John Johansen <johansen@immunix.com> 1.0-43_imnx
 - add back in the ioctl interface for conditional compiles against the
  F5 branch
 * Wed Sep 15 2004 John Johansen <johansen@immunix.com> 1.0-42_imnx
 - remove the 2.6 ioctl module interface
 * Wed Sep  1 2004 John Johansen <johansen@immunix.com> 1.0-41_imnx
 - Add the ability to nest hats inside a profile
 * Mon Aug 30 2004 Steve Beattie <steve@immunix.com> 1.0-40_imnx
 - Clean up copyright statements.
 * Mon Aug 23 2004 Steve Beattie <steve@immunix.com> 1.0-33_imnx
 - Fixed License: tag, stopped including obsolete license.
 * Fri Jul 23 2004 Steve Beattie <steve@immunix.com> 1.0-26_imnx
 - Small fix to portable API interface.
 * Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-25_imnx
 - resurrect Red Hat style initscript
 * Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-23_imnx
 - use distro specific init scripts
 * Wed Jul 21 2004 Steve Beattie <steve@immunix.com> 1.0-22.16_imnx
 - first attempt to make rpm portable to both SuSE and Red Hat
 * Tue Jul 20 2004 Steve Beattie <steve@immunix.com> 1.0-22.15_imnx
 - Merge in JJ's 64-bit clean interface
 * Wed Jun 23 2004 Seth Arnold <sarnold@immunix.com> 1.0-22.13_imnx
 - apache manual
 * Tue Jun 22 2004 Seth Arnold <sarnold@immunix.com> 1.0-22.12_imnx
 - modified user-custom/squid
 * Sat Jun 12 2004 John Johansen <johansen@immunix.com> 1.0-22.7_imnx
 - fix segfault in parser
 - change rc.subdomain restart to compare loaded profiles to profiles
  in /etc/subdomain.d and remove the profiles that are loaded that
  are not in /etc/subdomain.d
 * Fri Jun 11 2004 John Johansen <johansen@immunix.com> 1.0-22.7_imnx
 - update parser to get subdomain filesystem mnt point from /etc/fstab
 - add build-panic option to init script
 * Fri Jun 11 2004 John Johansen <johansen@immunix.com> 1.0-22.6_imnx
 - move subdomain fs from /dev/subdomain to /subdomain
 * Thu Jun 10 2004 David Drewelow <davidd@immunix.com> 1.0-22.4_imnx
 - Changed dependency from subdomain-module to subdomain-master 
 * Fri May  7 2004 John Johansen <johansen@immunix.com> 1.0-22.3_imnx
 - -C flag to force individual profiles to have into complain mode
 - turn off warning about having a bare x
 - profile abstraction updates
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -61,7 +61,7 @@ B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD>
 B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
 capabilities(7))
-B<NETWORK RULE> = 'network' [ [ I<DOMAIN> ] [ I<TYPE> ] [ I<PROTOCOL> ] ] ','
+B<NETWORK RULE> = 'network' [ [ I<DOMAIN> [ I<TYPE> | I<PROTOCOL> ] ] | [ I<PROTOCOL> ] ] ','
 B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' ) ','
@@ -93,7 +93,7 @@ B<MOUNT FLAGS EXPRESSION> = ( I<MOUNT FLAGS LIST> | I<MOUNT EXPRESSION> )
 B<MOUNT FLAGS LIST> = Comma separated list of I<MOUNT FLAGS>.
-B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'nodirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'move' | 'rec' | 'verbose' | 'silent' | 'load' | 'acl' | 'noacl' | 'unbindable' | 'private' | 'slave' | 'shared' | 'relative' | 'norelative' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
+B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' )
 B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
@@ -121,7 +121,7 @@ B<SIGNAL SET> = 'set' '=' '(' I<SIGNAL LIST> ')'
 B<SIGNAL LIST> = Comma or space separated list of I<SIGNALS>
-B<SIGNALS> = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' )
+B<SIGNALS> = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' )
 B<SIGNAL PEER> = 'peer' '=' I<AARE>
@@ -770,6 +770,9 @@ Example AppArmor signal rules:
    # Allow us to signal ourselves using the built-in @{profile_name} variable
    signal peer=@{profile_name},
    # Allow two real-time signals
    signal set=(rtmin+0 rtmin+32),
 =head2 DBus rules
 AppArmor supports DBus mediation. The mediation is performed in conjunction
@@ -972,8 +975,10 @@ provided AppArmor policy:
  @{HOMEDIRS}
  @{multiarch}
  @{pid}
  @{pids}
  @{PROC}
  @{securityfs}
  @{apparmorfs}
  @{sys}
  @{tid}
  @{XDG_DESKTOP_DIR}
@@ -1192,10 +1197,6 @@ files, and the X socket.
 =back
 The abstractions stored in F</etc/apparmor.d/program-chunks/> are
 intended for use by specific program suites, and are not generally
 useful.
 Some of the abstractions rely on variables that are set in files in the
 F</etc/apparmor.d/tunables/> directory. These variables are currently
 B<@{HOME}> and B<@{HOMEDIRS}>. Variables cannot be set in profile scope;
--- a/parser/apparmor_parser.pod
+++ b/parser/apparmor_parser.pod
@@ -28,7 +28,7 @@ apparmor_parser - loads AppArmor profiles into the kernel
 =head1 SYNOPSIS
-B<apparmor_parser [options] E<lt>commandE<gt> [profile]...>
+B<apparmor_parser [options] E<lt>commandE<gt> [profiles]...>
 B<apparmor_parser [options] E<lt>commandE<gt>>
@@ -41,9 +41,16 @@ policy, including loading new apparmor.d(5) profiles into the Linux kernel.
 AppArmor profiles restrict the operations available to processes.
-The profiles are loaded into the Linux kernel by the B<apparmor_parser>
+The B<profiles> are loaded into the Linux kernel by the B<apparmor_parser>
-program, which by default takes its input from standard input. The input
+program. The B<profiles> may be specified by file name or a directory
-supplied to B<apparmor_parser> should be in the format described in
+name containing a set of profiles. If a directory is specified then the
 B<apparmor_parser> will try to do a profile load for each file in the
 directory that is not a dot file, or explicitly black listed (*.dpkg-new,
 *.dpkg-old, *.dpkg-dist, *-dpkg-bak, *.repnew, *.rpmsave, *orig, *.rej,
 *~). The B<apparmor_parser> will fall back to taking input from standard
 input if a profile or directory is not supplied.
 The input supplied to B<apparmor_parser> should be in the format described in
 apparmor.d(5).
 =head1 COMMANDS
--- a/parser/dbus.cc
+++ b/parser/dbus.cc
@@ -149,7 +149,7 @@ ostream &dbus_rule::dump(ostream &os)
 	if (interface)
 		os << " interface=\"" << interface << "\"";
 	if (member)
-		os << " member=\"" << member << os << "\"";
+		os << " member=\"" << member << "\"";
 	if (!(mode & AA_DBUS_BIND) && (peer_label || name)) {
 		os << " peer=( ";
--- a/parser/lib.c
+++ b/parser/lib.c
@@ -62,9 +62,9 @@
 int dirat_for_each(DIR *dir, const char *name, void *data,
 		   int (* cb)(DIR *, const char *, struct stat *, void *))
 {
-	struct dirent *dirent = NULL, *ent;
+	struct dirent *dirent = NULL;
 	DIR *d = NULL;
-	int error = 0;
+	int error;
 	if (!cb || (!dir && !name)) {
 		errno = EINVAL;
@@ -102,11 +102,19 @@ int dirat_for_each(DIR *dir, const char *name, void *data,
 		d = dir;
 	}
-	for (error = readdir_r(d, dirent, &ent);
+	for (;;) {
-	     error == 0 && ent != NULL;
+		struct dirent *ent;
 	     error = readdir_r(d, dirent, &ent)) {
 		struct stat my_stat;
 		error = readdir_r(d, dirent, &ent);
 		if (error) {
 			PDEBUG("readdir_r failed");
 			errno = error; /* readdir_r directly returns an errno */
 			goto fail;
 		} else if (!ent) {
 			break;
 		}
 		if (strcmp(ent->d_name, ".") == 0 ||
 		    strcmp(ent->d_name, "..") == 0)
 			continue;
@@ -126,7 +134,7 @@ int dirat_for_each(DIR *dir, const char *name, void *data,
 		closedir(d);
 	free(dirent);
-	return error;
+	return 0;
 fail:
 	error = errno;
--- a/parser/libapparmor_re/hfa.cc
+++ b/parser/libapparmor_re/hfa.cc
@@ -1335,19 +1335,16 @@ int accept_perms(NodeSet *state, perms_t &perms)
 	}
 	perms.allow |= exact_match_allow & ~(ALL_AA_EXEC_TYPE);
-
+	perms.audit |= exact_audit & ~(ALL_AA_EXEC_TYPE);
-	if (exact_match_allow & AA_USER_EXEC_TYPE) {
+	
 	if (exact_match_allow & AA_USER_EXEC) {
 		perms.allow = (exact_match_allow & AA_USER_EXEC_TYPE) |
 			(perms.allow & ~AA_USER_EXEC_TYPE);
 		perms.audit = (exact_audit & AA_USER_EXEC_TYPE) |
 			(perms.audit & ~AA_USER_EXEC_TYPE);
 		perms.exact = AA_USER_EXEC_TYPE;
 	}
-	if (exact_match_allow & AA_OTHER_EXEC_TYPE) {
+	if (exact_match_allow & AA_OTHER_EXEC) {
 		perms.allow = (exact_match_allow & AA_OTHER_EXEC_TYPE) |
 			(perms.allow & ~AA_OTHER_EXEC_TYPE);
 		perms.audit = (exact_audit & AA_OTHER_EXEC_TYPE) |
 			(perms.audit & ~AA_OTHER_EXEC_TYPE);
 		perms.exact |= AA_OTHER_EXEC_TYPE;
 	}
 	if (AA_USER_EXEC & perms.deny)
--- a/parser/mount.cc
+++ b/parser/mount.cc
@@ -259,16 +259,24 @@ static struct mnt_keyword_table mnt_opts_table[] = {
 	{"R",			MS_RBIND, 0},
 	{"verbose",		MS_VERBOSE, 0},
 	{"silent",		MS_SILENT, 0},
-	{"load",		0, MS_SILENT},
+	{"loud",		0, MS_SILENT},
 	{"acl",			MS_ACL, 0},
 	{"noacl",		0, MS_ACL},
 	{"unbindable",		MS_UNBINDABLE, 0},
 	{"make-unbindable",	MS_UNBINDABLE, 0},
 	{"runbindable",		MS_RUNBINDABLE, 0},
 	{"make-runbindable",	MS_RUNBINDABLE, 0},
 	{"private",		MS_PRIVATE, 0},
 	{"make-private",	MS_PRIVATE, 0},
 	{"rprivate",		MS_RPRIVATE, 0},
 	{"make-rprivate",	MS_RPRIVATE, 0},
 	{"slave",		MS_SLAVE, 0},
 	{"make-slave",		MS_SLAVE, 0},
 	{"rslave",		MS_RSLAVE, 0},
 	{"make-rslave",		MS_RSLAVE, 0},
 	{"shared",		MS_SHARED, 0},
 	{"make-shared",		MS_SHARED, 0},
 	{"rshared",		MS_RSHARED, 0},
 	{"make-rshared",	MS_RSHARED, 0},
 	{"relatime",		MS_RELATIME, 0},
@@ -435,6 +443,10 @@ mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
 		PERROR("  unsupported mount conditions\n");
 		exit(1);
 	}
 	if (opts) {
 		PERROR("  unsupported mount options\n");
 		exit(1);
 	}
 }
 ostream &mnt_rule::dump(ostream &os)
@@ -822,7 +834,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 	return RULE_OK;
 fail:
-	PERROR("Enocoding of mount rule failed\n");
+	PERROR("Encoding of mount rule failed\n");
 	return RULE_ERROR;
 }
--- a/parser/mount.h
+++ b/parser/mount.h
@@ -64,19 +64,23 @@
 #define MS_NOUSER	(1 << 31)
 #define MS_USER		0
-#define MS_ALL_FLAGS	(MS_RDONLY | MS_NOSUID | MS_NODEV | MS_NOEXEC | \
+/* Only use MS_REC when defining these macros. Please use the macros from here
-			 MS_SYNC | MS_REMOUNT | MS_MAND | MS_DIRSYNC | \
+ * on and don't make assumptions about the presence of MS_REC. */
 			 MS_NOATIME | MS_NODIRATIME | MS_BIND | MS_MOVE | \
 			 MS_REC | MS_VERBOSE | MS_ACL | MS_UNBINDABLE | \
 			 MS_PRIVATE | MS_SLAVE | MS_SHARED | MS_RELATIME | \
 			 MS_IVERSION | MS_STRICTATIME | MS_USER)
 #define MS_RBIND	(MS_BIND | MS_REC)
 #define MS_RUNBINDABLE	(MS_UNBINDABLE | MS_REC)
 #define MS_RPRIVATE	(MS_PRIVATE | MS_REC)
 #define MS_RSLAVE	(MS_SLAVE | MS_REC)
 #define MS_RSHARED	(MS_SHARED | MS_REC)
 #define MS_ALL_FLAGS	(MS_RDONLY | MS_NOSUID | MS_NODEV | MS_NOEXEC | \
 			 MS_SYNC | MS_REMOUNT | MS_MAND | MS_DIRSYNC | \
 			 MS_NOATIME | MS_NODIRATIME | MS_BIND | MS_RBIND | \
 			 MS_MOVE | MS_VERBOSE | MS_ACL | \
 			 MS_UNBINDABLE | MS_RUNBINDABLE | \
 			 MS_PRIVATE | MS_RPRIVATE | \
 			 MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED | \
 			 MS_RELATIME | MS_IVERSION | MS_STRICTATIME | MS_USER)
 /* set of flags we don't use but define (but not with the kernel values)
 *  for MNT_FLAGS
 */
@@ -89,13 +93,16 @@
 			 MS_BORN | MS_NOATIME | MS_NODIRATIME | MS_RELATIME| \
 			 MS_KERNMOUNT | MS_STRICTATIME)
-#define MS_BIND_FLAGS (MS_BIND | MS_REC)
+#define MS_BIND_FLAGS (MS_BIND | MS_RBIND)
-#define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED | \
+#define MS_MAKE_FLAGS ((MS_UNBINDABLE | MS_RUNBINDABLE | \
-			MS_REC) | (MS_ALL_FLAGS & ~(MNT_FLAGS)))
+			MS_PRIVATE | MS_RPRIVATE | \
 			MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED) | \
 		       (MS_ALL_FLAGS & ~(MNT_FLAGS)))
 #define MS_MOVE_FLAGS (MS_MOVE)
-#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_PRIVATE | MS_SLAVE | \
+#define MS_CMDS (MS_MOVE | MS_REMOUNT | MS_BIND | MS_RBIND | \
-		 MS_SHARED | MS_UNBINDABLE)
+		 MS_UNBINDABLE | MS_RUNBINDABLE | MS_PRIVATE | MS_RPRIVATE | \
 		 MS_SLAVE | MS_RSLAVE | MS_SHARED | MS_RSHARED)
 #define MS_REMOUNT_FLAGS (MS_ALL_FLAGS & ~(MS_CMDS & ~MS_REMOUNT))
 #define MNT_SRC_OPT 1
--- a/parser/network.c
+++ b/parser/network.c
@@ -164,7 +164,7 @@ static size_t kernel_af_max(void) {
 		return net_af_max_override;
 	fd = open(PROC_VERSION, O_RDONLY);
-	if (!fd)
+	if (fd == -1)
 		/* fall back to default provided during build */
 		return 0;
 	res = read(fd, &buffer, sizeof(buffer) - 1);
@@ -321,31 +321,19 @@ struct aa_network_entry *network_entry(const char *family, const char *type,
 #define ALL_TYPES 0x43e
 /* another case of C++ not supporting non-trivial designated initializers */
 #undef AA_GEN_NET_ENT
 #define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
 static const char *network_families[] = {
 #include "af_names.h"
 };
 int net_find_af_val(const char *af)
 {
 	int i;
 	for (i = 0; network_families[i]; i++) {
 		if (strcmp(network_families[i], af) == 0)
 			return i;
 	}
 	return -1;
 }
 const char *net_find_af_name(unsigned int af)
 {
 	size_t i;
 	if (af < 0 || af > get_af_max())
 		return NULL;
-	return network_families[af];
+	for (i = 0; i < sizeof(network_mappings) / sizeof(*network_mappings); i++) {
 		if (network_mappings[i].family == af)
 			return network_mappings[i].family_name;
 	}
 	return NULL;
 }
 void __debug_network(unsigned int *array, const char *name)
@@ -375,7 +363,7 @@ void __debug_network(unsigned int *array, const char *name)
 	for (i = 0; i < af_max; i++) {
 		if (array[i]) {
-			const char *fam = network_families[i];
+			const char *fam = net_find_af_name(i);
 			if (fam)
 				printf("%s ", fam);
 			else
--- a/parser/network.h
+++ b/parser/network.h
@@ -125,7 +125,6 @@ struct network {
 int net_find_type_val(const char *type);
 const char *net_find_type_name(int type);
 int net_find_af_val(const char *af);
 const char *net_find_af_name(unsigned int af);
 const struct network_tuple *net_find_mapping(const struct network_tuple *map,
 					     const char *family,
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -172,7 +172,7 @@ extern int preprocess_only;
 #ifdef DEBUG
-#define PDEBUG(fmt, args...) printf("parser: " fmt, ## args)
+#define PDEBUG(fmt, args...) fprintf(stderr, "parser: " fmt, ## args)
 #else
 #define PDEBUG(fmt, args...)	/* Do nothing */
 #endif
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -597,7 +597,8 @@ int __sd_serialize_profile(int option, Profile *prof)
 		}
 	}
-	close(fd);
+	if (fd != -1)
 		close(fd);
 	if (!prof->hat_table.empty() && option != OPTION_REMOVE) {
 		if (load_flattened_hats(prof, option) == 0)
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -38,6 +38,8 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/apparmor.h>
 #include <sys/time.h>
 #include <utime.h>
 #include "lib.h"
 #include "parser.h"
@@ -587,7 +589,9 @@ static int features_dir_cb(DIR *dir, const char *name, struct stat *st,
 	if (S_ISREG(st->st_mode)) {
 		int len, file;
 		int remaining = fst->size - (fst->pos - *fst->buffer);
-		if (!(file = openat(dirfd(dir), name, O_RDONLY))) {
+
 		file = openat(dirfd(dir), name, O_RDONLY);
 		if (file == -1) {
 			PDEBUG("Could not open '%s'", name);
 			return -1;
 		}
@@ -871,17 +875,18 @@ static bool valid_cached_file_version(const char *cachename)
 	return true;
 }
-/* returns true if time is more recent than mru_tstamp */
+#define tstamp_cmp(a, b)					\
-#define mru_t_cmp(a) \
+  (((a).tv_sec == (b).tv_sec) ?					\
-(((a).tv_sec == (mru_tstamp).tv_sec) ? \
+   ((a).tv_nsec - (b).tv_nsec) :				\
-  (a).tv_nsec > (mru_tstamp).tv_nsec : (a).tv_sec > (mru_tstamp).tv_sec)
+   ((a).tv_sec - (b).tv_sec))
 #define tstamp_is_null(a) ((a).tv_sec == 0 && (a).tv_nsec == 0)
 void update_mru_tstamp(FILE *file)
 {
 	struct stat stat_file;
 	if (fstat(fileno(file), &stat_file))
 		return;
-	if (mru_t_cmp(stat_file.st_mtim))
+	if (tstamp_cmp(stat_file.st_mtim, mru_tstamp) > 0)
 		mru_tstamp = stat_file.st_mtim;
 }
@@ -967,7 +972,8 @@ int process_profile(int option, const char *profilename)
 		/* Load a binary cache if it exists and is newest */
 		if (!skip_read_cache &&
 		    stat(cachename, &stat_bin) == 0 &&
-		    stat_bin.st_size > 0 && (mru_t_cmp(stat_bin.st_mtim)) &&
+		    stat_bin.st_size > 0 &&
 		    (tstamp_cmp(mru_tstamp, stat_bin.st_mtim) < 0) &&
 		    valid_cached_file_version(cachename)) {
 			if (show_cache)
 				PERROR("Cache hit: %s\n", cachename);
@@ -1035,6 +1041,12 @@ out:
 		}
 		if (useable_cache) {
 			struct timeval t;
 			/* set the mtime of the cache file to the most newest
 			 * mtime of policy files used to generate it
 			 */
 			TIMESPEC_TO_TIMEVAL(&t, &mru_tstamp);
 			utimes(cachetemp, &t);
 			if (rename(cachetemp, cachename) < 0) {
 				pwarn("Warning failed to write cache: %s\n", cachename);
 				unlink(cachetemp);
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -43,7 +43,7 @@
 /* #define DEBUG */
 #ifdef DEBUG
 #undef PDEBUG
-#define PDEBUG(fmt, args...) printf("Lexer: " fmt, ## args)
+#define PDEBUG(fmt, args...) fprintf(stderr, "Lexer: " fmt, ## args)
 #else
 #undef PDEBUG
 #define PDEBUG(fmt, args...)	/* Do nothing */
@@ -534,7 +534,7 @@ static int parse_X_sub_mode(const char *X, const char *str_mode, int *result, in
 	int mode = 0;
 	const char *p;
-	PDEBUG("Parsing X mode: %s\n", X, str_mode);
+	PDEBUG("Parsing %s mode: %s\n", X, str_mode);
 	if (!str_mode)
 		return 0;
@@ -759,7 +759,7 @@ static const char *capnames[] = {
 	"audit_write",
 	"audit_control",
 	"setfcap",
-	"mac_override"
+	"mac_override",
 	"syslog",
 };
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -34,8 +34,10 @@
 /* #define DEBUG */
 #ifdef DEBUG
-#define PDEBUG(fmt, args...) printf("Lexer: " fmt, ## args)
+#undef PDEBUG
 #define PDEBUG(fmt, args...) fprintf(stderr, "Lexer: " fmt, ## args)
 #else
 #undef PDEBUG
 #define PDEBUG(fmt, args...)	/* Do nothing */
 #endif
 #define NPDEBUG(fmt, args...)	/* Do nothing */
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -491,9 +491,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	 * out by a deny rule, as both pieces of the link pair must
 	 * match.  audit info for the link is carried on the second
 	 * entry of the pair
 	 *
 	 * So if a deny rule only record it if there are permissions other
 	 * than link in the entry.
 	 * TODO: split link and change_profile entries earlier
 	 */
-	if (entry->deny && (entry->mode & AA_LINK_BITS)) {
+	if (entry->deny) {
-		if (!dfarules->add_rule(tbuf.c_str(), entry->deny,
+		if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
 		    !dfarules->add_rule(tbuf.c_str(), entry->deny,
 					entry->mode & ~AA_LINK_BITS,
 					entry->audit & ~AA_LINK_BITS, dfaflags))
 			return FALSE;
--- a/parser/po/en_GB.po
+++ b/parser/po/en_GB.po
@@ -8,14 +8,14 @@ msgstr ""
 "Project-Id-Version: apparmor-parser\n"
 "Report-Msgid-Bugs-To: <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2014-09-13 00:11-0700\n"
-"PO-Revision-Date: 2013-11-15 22:02+0000\n"
+"PO-Revision-Date: 2014-10-22 19:10+0000\n"
 "Last-Translator: Andi Chandler <Unknown>\n"
 "Language-Team: English (United Kingdom) <en_GB@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2014-09-14 05:58+0000\n"
+"X-Launchpad-Export-Date: 2014-10-23 05:37+0000\n"
-"X-Generator: Launchpad (build 17196)\n"
+"X-Generator: Launchpad (build 17203)\n"
 "Language: en_GB\n"
 #: ../parser_include.c:113 ../parser_include.c:111
@@ -62,185 +62,185 @@ msgstr "Profile does not match signature\n"
 #: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
-msgstr ""
+msgstr "Profile version not supported by Apparmor module\n"
 #: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
-msgstr ""
+msgstr "Profile already exists\n"
 #: ../parser_interface.c:93 ../parser_interface.c:96 ../parser_interface.c:73
 msgid "Profile doesn't exist\n"
-msgstr ""
+msgstr "Profile doesn't exist\n"
 #: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
-msgstr ""
+msgstr "Permission denied; attempted to load a profile while confined?\n"
 #: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
-msgstr ""
+msgstr "Unknown error (%d): %s\n"
 #: ../parser_interface.c:116 ../parser_interface.c:119
 #: ../parser_interface.c:96
 #, c-format
 msgid "%s: Unable to add \"%s\".  "
-msgstr ""
+msgstr "%s: Unable to add \"%s\".  "
 #: ../parser_interface.c:121 ../parser_interface.c:124
 #: ../parser_interface.c:101
 #, c-format
 msgid "%s: Unable to replace \"%s\".  "
-msgstr ""
+msgstr "%s: Unable to replace \"%s\".  "
 #: ../parser_interface.c:126 ../parser_interface.c:129
 #: ../parser_interface.c:106
 #, c-format
 msgid "%s: Unable to remove \"%s\".  "
-msgstr ""
+msgstr "%s: Unable to remove \"%s\".  "
 #: ../parser_interface.c:131 ../parser_interface.c:134
 #: ../parser_interface.c:111
 #, c-format
 msgid "%s: Unable to write to stdout\n"
-msgstr ""
+msgstr "%s: Unable to write to stdout\n"
 #: ../parser_interface.c:135 ../parser_interface.c:138
 #: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
-msgstr ""
+msgstr "%s: Unable to write to output file\n"
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
 #: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
-msgstr ""
+msgstr "%s: ASSERT: Invalid option: %d\n"
 #: ../parser_interface.c:147 ../parser_interface.c:150
 #: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
-msgstr ""
+msgstr "Addition succeeded for \"%s\".\n"
 #: ../parser_interface.c:151 ../parser_interface.c:154
 #: ../parser_interface.c:131
 #, c-format
 msgid "Replacement succeeded for \"%s\".\n"
-msgstr ""
+msgstr "Replacement succeeded for \"%s\".\n"
 #: ../parser_interface.c:155 ../parser_interface.c:158
 #: ../parser_interface.c:135
 #, c-format
 msgid "Removal succeeded for \"%s\".\n"
-msgstr ""
+msgstr "Removal succeeded for \"%s\".\n"
 #: ../parser_interface.c:251 ../parser_interface.c:254
 #, c-format
 msgid "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
-msgstr ""
+msgstr "PANIC bad increment buffer %p pos %p ext %p size %d res %p\n"
 #: ../parser_interface.c:656 ../parser_interface.c:658
 #: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
-msgstr ""
+msgstr "profile %s network rules not enforced\n"
 #: ../parser_interface.c:666
 msgid "Unknown pattern type\n"
-msgstr ""
+msgstr "Unknown pattern type\n"
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
 #: ../parser_interface.c:518 ../parser_interface.c:669
 #, c-format
 msgid "Unable to open %s - %s\n"
-msgstr ""
+msgstr "Unable to open %s - %s\n"
 #: ../parser_interface.c:776 ../parser_interface.c:768
 #: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
-msgstr ""
+msgstr "Memory Allocation Error: Unable to remove ^%s\n"
 #: ../parser_interface.c:789 ../parser_interface.c:781
 #: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
-msgstr ""
+msgstr "Memory Allocation Error: Unable to remove %s:%s."
 #: ../parser_interface.c:810 ../parser_interface.c:802
 msgid "unable to create work area\n"
-msgstr ""
+msgstr "unable to create work area\n"
 #: ../parser_interface.c:818 ../parser_interface.c:810
 #, c-format
 msgid "unable to serialize profile %s\n"
-msgstr ""
+msgstr "unable to serialise profile %s\n"
 #: ../parser_interface.c:829 ../parser_interface.c:916
 #: ../parser_interface.c:821 ../parser_interface.c:908
 #: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
-msgstr ""
+msgstr "%s: Unable to write entire profile entry\n"
 #: ../parser_interface.c:839 ../parser_interface.c:831
 #: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
-msgstr ""
+msgstr "%s: Unable to write entire profile entry to cache\n"
 #: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
 msgid "Could not open '%s'"
-msgstr ""
+msgstr "Could not open '%s'"
 #: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
-msgstr ""
+msgstr "fstat failed for '%s'"
 #: parser_lex.l:121
 #, c-format
 msgid "opendir failed '%s'"
-msgstr ""
+msgstr "opendir failed '%s'"
 #: parser_lex.l:152
 #, c-format
 msgid "stat failed for '%s'"
-msgstr ""
+msgstr "stat failed for '%s'"
 #: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
-msgstr ""
+msgstr "Could not open '%s' in '%s'"
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
 #: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
-msgstr ""
+msgstr "Found unexpected character: '%s'"
 #: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
-msgstr ""
+msgstr "Variable declarations do not accept trailing commas"
 #: parser_lex.l:420
 #, c-format
 msgid "(network_mode) Found unexpected character: '%s'"
-msgstr ""
+msgstr "(network_mode) Found unexpected character: '%s'"
 #: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
-msgstr ""
+msgstr "Warning from %s (%s%sline %d): %s"
 #: ../parser_main.c:531
 #, c-format
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
-msgstr ""
+msgstr "%s: Could not allocate memory for subdomainbase mount point\n"
 #: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
@@ -248,6 +248,8 @@ msgid ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 msgstr ""
 "Warning: unable to find a suitable fs in %s, is it mounted?\n"
 "Use --subdomainfs to override.\n"
 #: ../parser_main.c:597 ../parser_main.c:635 ../parser_main.c:498
 #, c-format
@@ -255,6 +257,8 @@ msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
 "%s: Sorry. You need root privileges to run this programme.\n"
 "\n"
 #: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
 #, c-format
@@ -263,12 +267,15 @@ msgid ""
 "Anybody who can run this program can update your AppArmor profiles.\n"
 "\n"
 msgstr ""
 "%s: Warning! You've set this programme setuid root.\n"
 "Anybody who can run this program can update your AppArmor profiles.\n"
 "\n"
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
 #: ../parser_main.c:946 ../parser_main.c:860
 #, c-format
 msgid "Error: Could not read profile %s: %s.\n"
-msgstr ""
+msgstr "Error: Could not read profile %s: %s.\n"
 #: ../parser_main.c:718 ../parser_misc.c:270 parser_yacc.y:227
 #: parser_yacc.y:374 parser_yacc.y:386 parser_yacc.y:484 parser_yacc.y:586
@@ -289,37 +296,40 @@ msgstr ""
 #: parser_yacc.y:1565 parser_yacc.y:1583 parser_yacc.y:1590 parser_yacc.y:1639
 #: ../network.c:314 ../af_unix.cc:203
 msgid "Memory allocation error."
-msgstr ""
+msgstr "Memory allocation error."
 #: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
-msgstr ""
+msgstr "Cached load succeeded for \"%s\".\n"
 #: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
 msgid "Cached reload succeeded for \"%s\".\n"
-msgstr ""
+msgstr "Cached reload succeeded for \"%s\".\n"
 #: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
-msgstr ""
+msgstr "%s: Errors found in file. Aborting.\n"
 #: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to "
 "lowercase.\n"
 "See the apparmor.d(5) manpage for details.\n"
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
 #: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
-msgstr ""
+msgstr "Conflict 'a' and 'w' perms are mutually exclusive."
 #: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
-msgstr ""
+msgstr "Exec qualifier 'i' invalid, conflicting qualifier already specified."
 #: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
@@ -327,12 +337,15 @@ msgid ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
 "to be passed to the unconfined process; 'man 5 apparmor.d' for details.\n"
 msgstr ""
 "Unconfined exec qualifier (%c%c) allows some dangerous environment variables "
 "to be passed to the unconfined process; 'man 5 apparmor.d' for details.\n"
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
 #: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
 "Exec qualifier '%c' invalid, conflicting qualifier already specified."
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
 #: ../parser_misc.c:716 ../parser_misc.c:450 ../parser_misc.c:458
@@ -340,75 +353,78 @@ msgstr ""
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified."
 #: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
-msgstr ""
+msgstr "Internal: unexpected mode character '%c' in input"
 #: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
-msgstr ""
+msgstr "Internal error generated invalid perm 0x%llx\n"
 #: ../parser_misc.c:865 ../parser_symtab.c:561 ../parser_regex.c:626
 #: ../parser_variable.c:229
 #, c-format
 msgid "AppArmor parser error: %s\n"
-msgstr ""
+msgstr "AppArmor parser error: %s\n"
 #: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
-msgstr ""
+msgstr "Couldn't merge entries. Out of Memory.\n"
 #: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
-msgstr ""
+msgstr "profile %s: has merged rule %s with conflicting x modifiers.\n"
 #: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
-msgstr ""
+msgstr "Profile attachment must begin with a '/'."
 #: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 #: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
-msgstr ""
+msgstr "Failed to create alias %s -> %s\n"
 #: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
-msgstr ""
+msgstr "Profile flag chroot_relative conflicts with namespace_relative"
 #: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
-msgstr ""
+msgstr "Profile flag mediate_deleted conflicts with delegate_deleted"
 #: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 #: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
-msgstr ""
+msgstr "Profile flag chroot_attach conflicts with chroot_no_attach"
 #: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
-msgstr ""
+msgstr "Profile flag 'debug' is no longer valid."
 #: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
-msgstr ""
+msgstr "Invalid profile flag: %s."
 #: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
-msgstr ""
+msgstr "Assert: `rule' returned NULL."
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
 #: parser_yacc.y:598 parser_yacc.y:630
@@ -416,93 +432,98 @@ msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
 "Invalid mode, in deny rules, 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'."
 #: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'."
 #: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'."
 #: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
-msgstr ""
+msgstr "Assert: `network_rule' return invalid protocol."
 #: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
-msgstr ""
+msgstr "Assert: `change_profile' returned NULL."
 #: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
-msgstr ""
+msgstr "Assert: 'hat rule' returned NULL."
 #: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
-msgstr ""
+msgstr "Assert: 'local_profile rule' returned NULL."
 #: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
 msgid "Unset boolean variable %s used in if-expression"
-msgstr ""
+msgstr "Unset boolean variable %s used in if-expression"
 #: parser_yacc.y:882 parser_yacc.y:986 parser_yacc.y:1092
 msgid "unsafe rule missing exec permissions"
-msgstr ""
+msgstr "unsafe rule missing exec permissions"
 #: parser_yacc.y:901 parser_yacc.y:954 parser_yacc.y:1060
 msgid "subset can only be used with link rules."
-msgstr ""
+msgstr "subset can only be used with link rules."
 #: parser_yacc.y:903 parser_yacc.y:956 parser_yacc.y:1062
 msgid "link and exec perms conflict on a file rule using ->"
-msgstr ""
+msgstr "link and exec perms conflict on a file rule using ->"
 #: parser_yacc.y:905 parser_yacc.y:958 parser_yacc.y:1064
 msgid "link perms are not allowed on a named profile transition.\n"
-msgstr ""
+msgstr "link perms are not allowed on a named profile transition.\n"
 #: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
-msgstr ""
+msgstr "missing an end of line character? (entry: %s)"
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
 #: parser_yacc.y:1145 parser_yacc.y:1155
 msgid "Invalid network entry."
-msgstr ""
+msgstr "Invalid network entry."
 #: parser_yacc.y:1039 parser_yacc.y:1048 parser_yacc.y:1254 parser_yacc.y:1510
 #, c-format
 msgid "Invalid capability %s."
-msgstr ""
+msgstr "Invalid capability %s."
 #: parser_yacc.y:1066 parser_yacc.y:1269 parser_yacc.y:1525
 #, c-format
 msgid "AppArmor parser error for %s%s%s at line %d: %s\n"
-msgstr ""
+msgstr "AppArmor parser error for %s%s%s at line %d: %s\n"
 #: parser_yacc.y:1072 parser_yacc.y:1275 parser_yacc.y:1531
 #, c-format
 msgid "AppArmor parser error,%s%s line %d: %s\n"
-msgstr ""
+msgstr "AppArmor parser error, %s%s line %d: %s\n"
 #: ../parser_regex.c:244
 #, c-format
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
-msgstr ""
+msgstr "%s: Illegal open {, nesting groupings not allowed\n"
 #: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
-msgstr ""
+msgstr "%s: Regex grouping error: Invalid number of items between {}\n"
 #: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 #: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
@@ -510,26 +531,28 @@ msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
 "close }\n"
 msgstr ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
 "close }\n"
 #: ../parser_regex.c:351 ../parser_regex.c:357
 #, c-format
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
-msgstr ""
+msgstr "%s: Internal buffer overflow detected, %d characters exceeded\n"
 #: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
-msgstr ""
+msgstr "%s: Unable to parse input line '%s'\n"
 #: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
-msgstr ""
+msgstr "%s: Invalid profile name '%s' - bad regular expression\n"
 #: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
-msgstr ""
+msgstr "ERROR merging rules for profile %s, failed to load\n"
 #: ../parser_policy.c:234
 #, c-format
@@ -538,205 +561,209 @@ msgid ""
 "\t'*', '?', character ranges, and alternations are not allowed.\n"
 "\t'**' may only be used at the end of a rule.\n"
 msgstr ""
 "ERROR profile %s contains policy elements not usable with this kernel:\n"
 "\t'*', '?', character ranges, and alternations are not allowed.\n"
 "\t'**' may only be used at the end of a rule.\n"
 #: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
-msgstr ""
+msgstr "ERROR processing regexs for profile %s, failed to load\n"
 #: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
-msgstr ""
+msgstr "ERROR expanding variables for profile %s, failed to load\n"
 #: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
 msgid "ERROR adding hat access rule for profile %s\n"
-msgstr ""
+msgstr "ERROR adding hat access rule for profile %s\n"
 #: ../parser_policy.c:490 ../parser_policy.c:271
 #, c-format
 msgid "ERROR in profile %s, failed to load\n"
-msgstr ""
+msgstr "ERROR in profile %s, failed to load\n"
 #: ../parser_policy.c:675
 #, c-format
 msgid "%s: Errors found during postprocessing.  Aborting.\n"
-msgstr ""
+msgstr "%s: Errors found during postprocessing.  Aborting.\n"
 #: ../parser_policy.c:682 ../parser_policy.c:704
 #, c-format
 msgid "%s: Errors found during regex postprocess.  Aborting.\n"
-msgstr ""
+msgstr "%s: Errors found during regex postprocess.  Aborting.\n"
 #: ../parser_policy.c:689
 #, c-format
 msgid "%s: Errors found during postprocess.  Aborting.\n"
-msgstr ""
+msgstr "%s: Errors found during postprocess.  Aborting.\n"
 #: ../parser_policy.c:696
 #, c-format
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
-msgstr ""
+msgstr "%s: Errors found in combining rules postprocessing. Aborting.\n"
 #: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
-msgstr ""
+msgstr "Could not process include directory '%s' in '%s'"
 #: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
-msgstr ""
+msgstr "Feature buffer full."
 #: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
 #: ../parser_main.c:1041
 msgid "Out of memory"
-msgstr ""
+msgstr "Out of memory"
 #: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
 msgid "Can't create cache directory: %s\n"
-msgstr ""
+msgstr "Cannot create cache directory: %s\n"
 #: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
-msgstr ""
+msgstr "File in cache directory location: %s\n"
 #: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
-msgstr ""
+msgstr "Cannot update cache directory: %s\n"
 #: ../parser_misc.c:833
 #, c-format
 msgid "Internal: unexpected DBus mode character '%c' in input"
-msgstr ""
+msgstr "Internal: unexpected DBus mode character '%c' in input"
 #: ../parser_misc.c:857
 #, c-format
 msgid "Internal error generated invalid DBus perm 0x%x\n"
-msgstr ""
+msgstr "Internal error generated invalid DBus perm 0x%x\n"
 #: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
-msgstr ""
+msgstr "deny prefix not allowed"
 #: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
-msgstr ""
+msgstr "owner prefix not allowed"
 #: parser_yacc.y:660
 msgid "owner prefix not allow on mount rules"
-msgstr ""
+msgstr "owner prefix not allow on mount rules"
 #: parser_yacc.y:677
 msgid "owner prefix not allow on dbus rules"
-msgstr ""
+msgstr "owner prefix not allow on dbus rules"
 #: parser_yacc.y:704
 msgid "owner prefix not allow on capability rules"
-msgstr ""
+msgstr "owner prefix not allow on capability rules"
 #: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
-msgstr ""
+msgstr "invalid mount conditional %s%s"
 #: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
-msgstr ""
+msgstr "bad mount rule"
 #: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
-msgstr ""
+msgstr "mount point conditions not currently supported"
 #: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
-msgstr ""
+msgstr "invalid pivotroot conditional '%s'"
 #: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 #: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
-msgstr ""
+msgstr "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 #: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
-msgstr ""
+msgstr "ERROR processing policydb rules for profile %s, failed to load\n"
 #: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
-msgstr ""
+msgstr "ERROR replacing aliases for profile %s, failed to load\n"
 #: ../parser_interface.c:635 ../parser_interface.c:638
 #, c-format
 msgid "%s: Unable to write %s\n"
-msgstr ""
+msgstr "%s: Unable to write %s\n"
 #: ../parser_main.c:721
 #, c-format
 msgid "Error: Could not read binary profile or cache file %s: %s.\n"
-msgstr ""
+msgstr "Error: Could not read binary profile or cache file %s: %s.\n"
 #: ../parser_main.c:811
 #, c-format
 msgid "Error: Could not read cache file '%s', skipping...\n"
-msgstr ""
+msgstr "Error: Could not read cache file '%s', skipping...\n"
 #: ../parser_misc.c:575
 #, c-format
 msgid "Internal: unexpected %s mode character '%c' in input"
-msgstr ""
+msgstr "Internal: unexpected %s mode character '%c' in input"
 #: ../parser_misc.c:599
 #, c-format
 msgid "Internal error generated invalid %s perm 0x%x\n"
-msgstr ""
+msgstr "Internal error generated invalid %s perm 0x%x\n"
 #: parser_yacc.y:703
 msgid "owner prefix not allowed on mount rules"
-msgstr ""
+msgstr "owner prefix not allowed on mount rules"
 #: parser_yacc.y:720
 msgid "owner prefix not allowed on dbus rules"
-msgstr ""
+msgstr "owner prefix not allowed on dbus rules"
 #: parser_yacc.y:736
 msgid "owner prefix not allowed on signal rules"
-msgstr ""
+msgstr "owner prefix not allowed on signal rules"
 #: parser_yacc.y:752
 msgid "owner prefix not allowed on ptrace rules"
-msgstr ""
+msgstr "owner prefix not allowed on ptrace rules"
 #: parser_yacc.y:768
 msgid "owner prefix not allowed on unix rules"
-msgstr ""
+msgstr "owner prefix not allowed on unix rules"
 #: parser_yacc.y:794
 msgid "owner prefix not allowed on capability rules"
-msgstr ""
+msgstr "owner prefix not allowed on capability rules"
 #: parser_yacc.y:1293
 #, c-format
 msgid "dbus rule: invalid conditional group %s=()"
-msgstr ""
+msgstr "dbus rule: invalid conditional group %s=()"
 #: parser_yacc.y:1371
 #, c-format
 msgid "unix rule: invalid conditional group %s=()"
-msgstr ""
+msgstr "unix rule: invalid conditional group %s=()"
 #: ../parser_regex.c:368
 #, c-format
 msgid "%s: Regex error: trailing '\\' escape character\n"
-msgstr ""
+msgstr "%s: Regex error: trailing '\\' escape character\n"
--- a/parser/po/it.po
+++ b/parser/po/it.po
@@ -6,24 +6,24 @@ msgstr ""
 "Project-Id-Version: apparmor-parser\n"
 "Report-Msgid-Bugs-To: <apparmor@lists.ubuntu.com>\n"
 "POT-Creation-Date: 2014-09-13 00:11-0700\n"
-"PO-Revision-Date: 2014-04-30 21:43+0000\n"
+"PO-Revision-Date: 2014-10-26 18:14+0000\n"
-"Last-Translator: Gio <gio.scino@gmail.com>\n"
+"Last-Translator: Claudio Arseni <claudio.arseni@gmail.com>\n"
 "Language-Team: Novell Language <language@novell.com>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Launchpad-Export-Date: 2014-09-14 05:57+0000\n"
+"X-Launchpad-Export-Date: 2014-10-27 05:32+0000\n"
-"X-Generator: Launchpad (build 17196)\n"
+"X-Generator: Launchpad (build 17203)\n"
 "Language: it\n"
 #: ../parser_include.c:113 ../parser_include.c:111
 msgid "Error: Out of memory.\n"
-msgstr "Errore: Memoria esaurita\n"
+msgstr "Errore: memoria esaurita.\n"
 #: ../parser_include.c:123 ../parser_include.c:121
 #, c-format
 msgid "Error: basedir %s is not a directory, skipping.\n"
-msgstr "Errore: dir. base %s non è una directory, ignorarla.\n"
+msgstr "Errore: la directory di base %s non è una directory, ignorata.\n"
 #: ../parser_include.c:137
 #, c-format
@@ -37,7 +37,7 @@ msgstr "Errore: impossibile allocare memoria.\n"
 #: ../parser_interface.c:69 ../parser_interface.c:72 ../parser_interface.c:49
 msgid "Bad write position\n"
-msgstr "Posizione scrittura errata\n"
+msgstr "Posizione di scrittura errata\n"
 #: ../parser_interface.c:72 ../parser_interface.c:75 ../parser_interface.c:52
 msgid "Permission denied\n"
@@ -53,7 +53,7 @@ msgstr "Impossibile copiare il profilo: indirizzo di memoria errato\n"
 #: ../parser_interface.c:81 ../parser_interface.c:84 ../parser_interface.c:61
 msgid "Profile doesn't conform to protocol\n"
-msgstr "Il profilo non è conforme con il protocollo\n"
+msgstr "Il profilo non è conforme al protocollo\n"
 #: ../parser_interface.c:84 ../parser_interface.c:87 ../parser_interface.c:64
 msgid "Profile does not match signature\n"
@@ -61,7 +61,7 @@ msgstr "Il profilo non corrisponde alla firma\n"
 #: ../parser_interface.c:87 ../parser_interface.c:90 ../parser_interface.c:67
 msgid "Profile version not supported by Apparmor module\n"
-msgstr "Versione profilo non supportata dal modulo AppArrmor\n"
+msgstr "Versione del profilo non supportata dal modulo Apparmor\n"
 #: ../parser_interface.c:90 ../parser_interface.c:93 ../parser_interface.c:70
 msgid "Profile already exists\n"
@@ -74,11 +74,13 @@ msgstr "Profilo inesistente\n"
 #: ../parser_interface.c:96 ../parser_interface.c:99 ../parser_interface.c:76
 msgid "Permission denied; attempted to load a profile while confined?\n"
 msgstr ""
 "Permesso non consentito: tentativo di caricare un profilo con i limiti "
 "applicati?\n"
 #: ../parser_interface.c:99 ../parser_interface.c:102 ../parser_interface.c:79
 #, c-format
 msgid "Unknown error (%d): %s\n"
-msgstr ""
+msgstr "Errore sconosciuto (%d): %s\n"
 #: ../parser_interface.c:116 ../parser_interface.c:119
 #: ../parser_interface.c:96
@@ -108,20 +110,20 @@ msgstr "%s: Impossibile scrivere su stdout\n"
 #: ../parser_interface.c:115
 #, c-format
 msgid "%s: Unable to write to output file\n"
-msgstr ""
+msgstr "%s: impossibile scrivere sul file di output\n"
 #: ../parser_interface.c:138 ../parser_interface.c:162
 #: ../parser_interface.c:141 ../parser_interface.c:165
 #: ../parser_interface.c:118 ../parser_interface.c:142
 #, c-format
 msgid "%s: ASSERT: Invalid option: %d\n"
-msgstr "%s: ASSERZIONE: Opzione non valida: %d\n"
+msgstr "%s: ASSERZIONE: opzione non valida: %d\n"
 #: ../parser_interface.c:147 ../parser_interface.c:150
 #: ../parser_interface.c:127
 #, c-format
 msgid "Addition succeeded for \"%s\".\n"
-msgstr "Addizione riuscita per \"%s\".\n"
+msgstr "Aggiunta riuscita per \"%s\".\n"
 #: ../parser_interface.c:151 ../parser_interface.c:154
 #: ../parser_interface.c:131
@@ -145,11 +147,11 @@ msgstr ""
 #: ../parser_interface.c:446
 #, c-format
 msgid "profile %s network rules not enforced\n"
-msgstr ""
+msgstr "regole di rete del profilo %s non applicate\n"
 #: ../parser_interface.c:666
 msgid "Unknown pattern type\n"
-msgstr ""
+msgstr "Tipo di modello sconosciuto\n"
 #: ../parser_interface.c:750 ../parser_interface.c:902
 #: ../parser_interface.c:743 ../parser_interface.c:894
@@ -162,13 +164,13 @@ msgstr "Impossibile aprire %s - %s\n"
 #: ../parser_interface.c:543
 #, c-format
 msgid "Memory Allocation Error: Unable to remove ^%s\n"
-msgstr "Errore di allocazione memoria: Impossibile rimuovere ^%s\n"
+msgstr "Errore di allocazione memoria: impossibile rimuovere ^%s\n"
 #: ../parser_interface.c:789 ../parser_interface.c:781
 #: ../parser_interface.c:556
 #, c-format
 msgid "Memory Allocation Error: Unable to remove %s:%s."
-msgstr "Errore di allocazione memoria: Impossibile rimuovere %s:%s."
+msgstr "Errore di allocazione memoria: impossibile rimuovere %s:%s."
 #: ../parser_interface.c:810 ../parser_interface.c:802
 msgid "unable to create work area\n"
@@ -184,13 +186,13 @@ msgstr "impossibile serializzare profilo %s\n"
 #: ../parser_interface.c:582
 #, c-format
 msgid "%s: Unable to write entire profile entry\n"
-msgstr "%s: Impossibile scrivere intera registrazione profilo\n"
+msgstr "%s: impossibile scrivere l'intera voce del profilo\n"
 #: ../parser_interface.c:839 ../parser_interface.c:831
 #: ../parser_interface.c:593
 #, c-format
 msgid "%s: Unable to write entire profile entry to cache\n"
-msgstr ""
+msgstr "%s: impossibile scrivere l'intero profilo nella cache\n"
 #: parser_lex.l:100 parser_lex.l:163 parser_lex.l:169
 #, c-format
@@ -200,48 +202,49 @@ msgstr "Impossibile aprire \"%s\""
 #: parser_lex.l:104 parser_lex.l:167 parser_lex.l:173
 #, c-format
 msgid "fstat failed for '%s'"
-msgstr ""
+msgstr "fstat non riuscita per \"%s\""
 #: parser_lex.l:121
 #, c-format
 msgid "opendir failed '%s'"
-msgstr ""
+msgstr "opendir non riuscita per \"%s\""
 #: parser_lex.l:152
 #, c-format
 msgid "stat failed for '%s'"
-msgstr ""
+msgstr "stat non riuscita per \"%s\""
 #: parser_lex.l:155 parser_lex.l:133 parser_lex.l:139
 #, c-format
 msgid "Could not open '%s' in '%s'"
-msgstr ""
+msgstr "Impossibile aprire \"%s\" in \"%s\""
 #: parser_lex.l:284 parser_lex.l:322 parser_lex.l:362 parser_lex.l:399
 #: parser_lex.l:469 parser_lex.l:655 parser_lex.l:586 parser_lex.l:638
 #, c-format
 msgid "Found unexpected character: '%s'"
-msgstr "Trovato carattere imprevisto: '%s'"
+msgstr "Trovato carattere imprevisto: \"%s\""
 #: parser_lex.l:386 parser_lex.l:418 parser_lex.l:428
 msgid "Variable declarations do not accept trailing commas"
-msgstr ""
+msgstr "La dichiarazione di variabile non accetta virgole terminanti"
 #: parser_lex.l:420
 #, c-format
 msgid "(network_mode) Found unexpected character: '%s'"
-msgstr "(network_mode) Trovato carattere imprevisto: '%s'"
+msgstr "(network_mode) Trovato carattere imprevisto: \"%s\""
 #: ../parser_main.c:333 ../parser_common.c:61 ../parser_common.c:106
 #, c-format
 msgid "Warning from %s (%s%sline %d): %s"
-msgstr ""
+msgstr "Avviso da %s (%s%sriga %d): %s"
 #: ../parser_main.c:531
 #, c-format
 msgid "%s: Could not allocate memory for subdomainbase mount point\n"
 msgstr ""
-"%s: Impossibile allocare memoria per punto di montaggio base sottodominio\n"
+"%s: impossibile allocare memoria per il punto di montaggio base "
 "sottodominio\n"
 #: ../parser_main.c:577 ../parser_main.c:616 ../parser_main.c:479
 #, c-format
@@ -258,7 +261,7 @@ msgid ""
 "%s: Sorry. You need root privileges to run this program.\n"
 "\n"
 msgstr ""
-"%s: Errore. Sono richiesti privilegi di root per eseguire questo programma.\n"
+"%s: errore. Sono richiesti privilegi di root per eseguire questo programma.\n"
 "\n"
 #: ../parser_main.c:604 ../parser_main.c:642 ../parser_main.c:505
@@ -268,8 +271,9 @@ msgid ""
 "Anybody who can run this program can update your AppArmor profiles.\n"
 "\n"
 msgstr ""
-"%s: Avviso! È stato impostato il root setuid di questo programma.\n"
+"%s: attenzione. È stato impostato il root setuid di questo programma.\n"
-"Chiunque esegua questo programma può aggiornare i profili di AppArmor.\n"
+"Chiunque possa eseguire questo programma può aggiornare i profili di "
 "AppArmor.\n"
 "\n"
 #: ../parser_main.c:704 ../parser_main.c:813 ../parser_main.c:836
@@ -302,7 +306,7 @@ msgstr "Errore allocazione memoria."
 #: ../parser_main.c:740 ../parser_main.c:872 ../parser_main.c:757
 #, c-format
 msgid "Cached load succeeded for \"%s\".\n"
-msgstr ""
+msgstr "Caricamento cache eseguito con successo per \"%s\".\n"
 #: ../parser_main.c:744 ../parser_main.c:876 ../parser_main.c:761
 #, c-format
@@ -312,26 +316,27 @@ msgstr "Ricaricamento cache eseguito con successo per \"%s\".\n"
 #: ../parser_main.c:910 ../parser_main.c:1058 ../parser_main.c:967
 #, c-format
 msgid "%s: Errors found in file. Aborting.\n"
-msgstr "%s: Errori individuati nel file. Interruzione in corso.\n"
+msgstr "%s: errori individuati nel file. Interruzione.\n"
 #: ../parser_misc.c:426 ../parser_misc.c:597 ../parser_misc.c:339
 msgid ""
 "Uppercase qualifiers \"RWLIMX\" are deprecated, please convert to lowercase\n"
 "See the apparmor.d(5) manpage for details.\n"
 msgstr ""
-"Qualificatori maiuscoli \"RWLIMX\" obsoleti. Utilizzare caratteri "
+"Qualificatori maiuscoli \"RWLIMX\" obsoleti, utilizzare caratteri "
 "minuscoli.\n"
-"Per dettagli, consultare apparmor.d(5) manpage.\n"
+"Per dettagli, consultare la manpage di apparmor.d(5).\n"
 #: ../parser_misc.c:467 ../parser_misc.c:474 ../parser_misc.c:638
 #: ../parser_misc.c:645 ../parser_misc.c:380 ../parser_misc.c:387
 msgid "Conflict 'a' and 'w' perms are mutually exclusive."
-msgstr "Conflitto: i parametri 'a' e 'w' si escludono a vicenda."
+msgstr "Conflitto: i permessi \"a\" e \"w\" si escludono a vicenda."
 #: ../parser_misc.c:491 ../parser_misc.c:662 ../parser_misc.c:404
 msgid "Exec qualifier 'i' invalid, conflicting qualifier already specified"
 msgstr ""
-"Qualificatore Exec 'i' non valido, qualificatore in conflitto già specificato"
+"Qualificatore Exec \"i\" non valido: qualificatore in conflitto già "
 "specificato"
 #: ../parser_misc.c:502 ../parser_misc.c:673 ../parser_misc.c:415
 #, c-format
@@ -340,15 +345,15 @@ msgid ""
 "to be passed to the unconfined process; 'man 5 apparmor.d' for details.\n"
 msgstr ""
 "Il qualificatore Exec senza limitazioni (%c%c) consente il passaggio di "
-"alcune variabili d'ambiente pericolose al processo senza limitazioni; vedere "
+"alcune variabili d'ambiente pericolose al processo senza limitazioni; "
-"'man 5 apparmor.d' per dettagli.\n"
+"consultare \"man 5 apparmor.d\" per dettagli.\n"
 #: ../parser_misc.c:510 ../parser_misc.c:551 ../parser_misc.c:681
 #: ../parser_misc.c:722 ../parser_misc.c:423 ../parser_misc.c:464
 #, c-format
 msgid "Exec qualifier '%c' invalid, conflicting qualifier already specified"
 msgstr ""
-"Qualificatore Exec '%c' non valido; qualificatore in conflitto già "
+"Qualificatore Exec \"%c\" non valido: qualificatore in conflitto già "
 "specificato."
 #: ../parser_misc.c:537 ../parser_misc.c:545 ../parser_misc.c:708
@@ -357,18 +362,18 @@ msgstr ""
 msgid ""
 "Exec qualifier '%c%c' invalid, conflicting qualifier already specified"
 msgstr ""
-"Il qualificatore exec '%c%c' non è valido. Il qualificatore in conflitto è "
+"Il qualificatore exec \"%c%c\" non è valido: qualificatore in conflitto è "
 "già specificato"
 #: ../parser_misc.c:593 ../parser_misc.c:764 ../parser_misc.c:506
 #, c-format
 msgid "Internal: unexpected mode character '%c' in input"
-msgstr "Interno: carattere modalità imprevisto '%c' nell'input"
+msgstr "Interno: carattere modalità imprevisto \"%c\" nell'input"
 #: ../parser_misc.c:615 ../parser_misc.c:786 ../parser_misc.c:528
 #, c-format
 msgid "Internal error generated invalid perm 0x%llx\n"
-msgstr "Errore interno generato da un perm non valido 0x%llx\n"
+msgstr "Un errore interno ha generato un permesso non valido 0x%llx\n"
 #: ../parser_misc.c:865 ../parser_symtab.c:561 ../parser_regex.c:626
 #: ../parser_variable.c:229
@@ -378,56 +383,63 @@ msgstr "Errore parser AppArmor: %s\n"
 #: ../parser_merge.c:92 ../parser_merge.c:91 ../parser_merge.c:83
 msgid "Couldn't merge entries. Out of Memory\n"
-msgstr "Impossibile fondere registrazioni. Memoria esaurita\n"
+msgstr "Impossibile unire le voci: memoria esaurita\n"
 #: ../parser_merge.c:111 ../parser_merge.c:113 ../parser_merge.c:105
 #, c-format
 msgid "profile %s: has merged rule %s with conflicting x modifiers\n"
-msgstr ""
+msgstr "profilo %s: ha regole unite %s con modificatori x in conflitto\n"
 #: parser_yacc.y:236 parser_yacc.y:277 parser_yacc.y:320
 msgid "Profile attachment must begin with a '/'."
-msgstr ""
+msgstr "L'allegato profilo deve iniziare con \"/\"."
 #: parser_yacc.y:260 parser_yacc.y:302 parser_yacc.y:348
 msgid ""
 "Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."
 msgstr ""
 "I nomi di profili devono iniziare con \"/\", namespace o le parole chiavi "
 "\"profile\" o \"hat\"."
 #: parser_yacc.y:296 parser_yacc.y:338 parser_yacc.y:384
 #, c-format
 msgid "Failed to create alias %s -> %s\n"
-msgstr "Impossibile creare l'alias %s -> %s\n"
+msgstr "Creazione dell'alias %s -> %s non riuscita\n"
 #: parser_yacc.y:417 parser_yacc.y:460 parser_yacc.y:506
 msgid "Profile flag chroot_relative conflicts with namespace_relative"
 msgstr ""
 "La flag del profilo chroot_relative va in conflitto con namespace_relative"
 #: parser_yacc.y:421 parser_yacc.y:464 parser_yacc.y:510
 msgid "Profile flag mediate_deleted conflicts with delegate_deleted"
 msgstr ""
 "La flag mediate_deleted del profilo va in conflitto con delegate_deleted"
 #: parser_yacc.y:424 parser_yacc.y:467 parser_yacc.y:513
 msgid ""
 "Profile flag attach_disconnected conflicts with no_attach_disconnected"
 msgstr ""
 "La flag attach_disconnected del profilo va in conflitto con "
 "no_attach_disconnected"
 #: parser_yacc.y:427 parser_yacc.y:470 parser_yacc.y:516
 msgid "Profile flag chroot_attach conflicts with chroot_no_attach"
 msgstr ""
 "La flag chroot_attach del profilo va in conflitto con chroot_no_attach"
 #: parser_yacc.y:441 parser_yacc.y:484 parser_yacc.y:530
 msgid "Profile flag 'debug' is no longer valid."
-msgstr "Il flag 'debug' del profilo non è più valido."
+msgstr "La flag \"debug\" del profilo non è più valida."
 #: parser_yacc.y:463 parser_yacc.y:506 parser_yacc.y:552
 #, c-format
 msgid "Invalid profile flag: %s."
-msgstr "Flag del profilo non valido: %s."
+msgstr "Flag del profilo non valida: %s."
 #: parser_yacc.y:498 parser_yacc.y:520 parser_yacc.y:548 parser_yacc.y:594
 msgid "Assert: `rule' returned NULL."
-msgstr "Asserzione: `rule' ha restituito NULL."
+msgstr "Asserzione: \"rule\" ha restituito NULL."
 #: parser_yacc.y:501 parser_yacc.y:546 parser_yacc.y:552 parser_yacc.y:584
 #: parser_yacc.y:598 parser_yacc.y:630
@@ -435,37 +447,37 @@ msgid ""
 "Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', "
 "'p', or 'u'"
 msgstr ""
-"Modalità non valida. Nelle regole di divieto 'x' non deve essere preceduto "
+"Modalità non valida. Nelle regole di divieto \"x\" non deve essere preceduto "
-"dal qualificatore exec 'i', 'p' o 'u'"
+"dal qualificatore exec \"i\", \"p\" o \"u\""
 #: parser_yacc.y:524 parser_yacc.y:556 parser_yacc.y:602
 msgid ""
 "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"
 msgstr ""
-"Modalità non valida. 'x' deve essere preceduto dal qualificatore exec 'i', "
+"Modalità non valida. \"x\" deve essere preceduto dal qualificatore exec "
-"'p' 'c' o 'u'"
+"\"i\", \"p\", \"c\" o \"u\""
 #: parser_yacc.y:549 parser_yacc.y:587 parser_yacc.y:633
 msgid "Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"
 msgstr ""
-"Modalità non valida. 'x' deve essere preceduto dal qualificatore Exec 'i', "
+"Modalità non valida. \"x\" deve essere preceduto dal qualificatore Exec "
-"'p' o 'u'."
+"\"i\", \"p\" o \"u\"."
 #: parser_yacc.y:574 parser_yacc.y:612 parser_yacc.y:614 parser_yacc.y:660
 msgid "Assert: `network_rule' return invalid protocol."
-msgstr "Asserzione: `network_rule' ha restituito un protocollo non valido."
+msgstr "Asserzione: \"network_rule\" ha restituito un protocollo non valido."
 #: parser_yacc.y:649 parser_yacc.y:696 parser_yacc.y:786
 msgid "Assert: `change_profile' returned NULL."
-msgstr "Asserzione: `change_profile' ha restituito NULL."
+msgstr "Asserzione: \"change_profile\" ha restituito NULL."
 #: parser_yacc.y:680 parser_yacc.y:720 parser_yacc.y:810
 msgid "Assert: 'hat rule' returned NULL."
-msgstr "Asserzione: `hat rule' ha restituito NULL."
+msgstr "Asserzione: \"hat rule\" ha restituito NULL."
 #: parser_yacc.y:689 parser_yacc.y:729 parser_yacc.y:819
 msgid "Assert: 'local_profile rule' returned NULL."
-msgstr "Asserzione: `local_profile rule' ha restituito NULL."
+msgstr "Asserzione: \"local_profile rule\" ha restituito NULL."
 #: parser_yacc.y:824 parser_yacc.y:885 parser_yacc.y:992
 #, c-format
@@ -496,7 +508,7 @@ msgstr ""
 #: parser_yacc.y:921 parser_yacc.y:1003 parser_yacc.y:1109
 #, c-format
 msgid "missing an end of line character? (entry: %s)"
-msgstr "un carattere di fine riga mancante? (registrazione: %s)"
+msgstr "un carattere di fine riga mancante? (voce: %s)"
 #: parser_yacc.y:975 parser_yacc.y:985 parser_yacc.y:1057 parser_yacc.y:1067
 #: parser_yacc.y:1145 parser_yacc.y:1155
@@ -522,21 +534,22 @@ msgstr "Errore di analisi di AppArmor, %s%s riga %d: %s\n"
 #, c-format
 msgid "%s: Illegal open {, nesting groupings not allowed\n"
 msgstr ""
-"%s: Apertura { non valida, annidamento raggruppamenti non consentito\n"
+"%s: parantesi {di apertura non valida, annidamento raggruppamenti non "
 "consentito\n"
 #: ../parser_regex.c:265 ../parser_regex.c:274 ../parser_regex.c:278
 #, c-format
 msgid "%s: Regex grouping error: Invalid number of items between {}\n"
 msgstr ""
-"%s: Errore raggruppamento Regex: numero di elementi non valido tra {}\n"
+"%s: errore raggruppamento regex: numero di elementi non valido tra {}\n"
 #: ../parser_regex.c:271 ../parser_regex.c:280 ../parser_regex.c:284
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close }, no matching open { detected\n"
 msgstr ""
-"%s: Errore raggruppamento Regex: Chiusura } non valida, non è stata "
+"%s: errore raggruppamento regex: parentesi } di chiusura non valida, non è "
-"individuata alcuna { aperta\n"
+"stata individuata alcuna { aperta\n"
 #: ../parser_regex.c:337 ../parser_regex.c:343 ../parser_regex.c:361
 #, c-format
@@ -544,29 +557,30 @@ msgid ""
 "%s: Regex grouping error: Unclosed grouping or character class, expecting "
 "close }\n"
 msgstr ""
-"%s: Errore raggruppamento Regex: raggruppamento non chiuso o classe "
+"%s: errore raggruppamento regex: raggruppamento non chiuso o classe "
 "caratteri, chiusura prevista }\n"
 #: ../parser_regex.c:351 ../parser_regex.c:357
 #, c-format
 msgid "%s: Internal buffer overflow detected, %d characters exceeded\n"
-msgstr "%s: Individuato overflow buffer interno, superati %d caratteri\n"
+msgstr "%s: individuato overflow del buffer interno, superati %d caratteri\n"
 #: ../parser_regex.c:355 ../parser_regex.c:361 ../parser_regex.c:377
 #, c-format
 msgid "%s: Unable to parse input line '%s'\n"
-msgstr "%s: Impossibile analizzare riga input '%s'\n"
+msgstr "%s: impossibile analizzare la riga input \"%s\"\n"
 #: ../parser_regex.c:397 ../parser_regex.c:405 ../parser_regex.c:421
 #, c-format
 msgid "%s: Invalid profile name '%s' - bad regular expression\n"
 msgstr ""
 "%s: nome \"%s\" del profilo non valido - espressione regolare non corretta\n"
 #: ../parser_policy.c:202 ../parser_policy.c:402 ../parser_policy.c:375
 #, c-format
 msgid "ERROR merging rules for profile %s, failed to load\n"
 msgstr ""
-"ERRORE nell'unione delle regole per il profilo %s, impossibile caricare\n"
+"ERRORE nell'unione delle regole per il profilo %s, caricamento non riuscito\n"
 #: ../parser_policy.c:234
 #, c-format
@@ -577,21 +591,22 @@ msgid ""
 msgstr ""
 "ERRORE: il profilo %s contiene elementi di norme non utilizzabili con questo "
 "kernel:\n"
-"\t'*', '?', intervalli di caratteri e alternanze non consentiti.\n"
+"\t\"*\", \"?\", intervalli di caratteri e alternanze non consentiti.\n"
-"\t'**' utilizzabili solo alla fine di una regola.\n"
+"\t\"**\" utilizzabili solo alla fine di una regola.\n"
 #: ../parser_policy.c:279 ../parser_policy.c:359 ../parser_policy.c:332
 #, c-format
 msgid "ERROR processing regexs for profile %s, failed to load\n"
 msgstr ""
-"ERRORE nell'elaborazione di regexs per il profilo %s, impossibile caricare\n"
+"ERRORE nell'elaborazione di regex per il profilo %s, caricamento non "
 "riuscito\n"
 #: ../parser_policy.c:306 ../parser_policy.c:389 ../parser_policy.c:362
 #, c-format
 msgid "ERROR expanding variables for profile %s, failed to load\n"
 msgstr ""
-"ERRORE nell'espansione delle variabili per il profilo %s, impossibile "
+"ERRORE nell'espansione delle variabili per il profilo %s, caricamento non "
-"caricare\n"
+"riuscito\n"
 #: ../parser_policy.c:390 ../parser_policy.c:382 ../parser_policy.c:355
 #, c-format
@@ -602,47 +617,44 @@ msgstr ""
 #: ../parser_policy.c:490 ../parser_policy.c:271
 #, c-format
 msgid "ERROR in profile %s, failed to load\n"
-msgstr "ERRORE in profilo %s, impossibile caricare\n"
+msgstr "ERRORE nel profilo %s, caricamento non riuscito\n"
 #: ../parser_policy.c:675
 #, c-format
 msgid "%s: Errors found during postprocessing.  Aborting.\n"
-msgstr ""
+msgstr "%s: rilevati errori durante la post-elaborazione. Interruzione.\n"
 "%s: Errori rilevati durante la post-elaborazione. Interruzione in corso.\n"
 #: ../parser_policy.c:682 ../parser_policy.c:704
 #, c-format
 msgid "%s: Errors found during regex postprocess.  Aborting.\n"
 msgstr ""
-"%s: Errori individuati durante post elaborazione regex. Interruzione in "
+"%s: individuati errori durante la post-elaborazione regex. Interruzione.\n"
 "corso.\n"
 #: ../parser_policy.c:689
 #, c-format
 msgid "%s: Errors found during postprocess.  Aborting.\n"
-msgstr ""
+msgstr "%s: rilevati errori durante la post-elaborazione. Interruzione.\n"
 "%s: Errori rilevati durante la post-elaborazione. Interruzione in corso.\n"
 #: ../parser_policy.c:696
 #, c-format
 msgid "%s: Errors found in combining rules postprocessing. Aborting.\n"
 msgstr ""
-"%s: Errori individuati durante combinazione postelaborazione regole. "
+"%s: individuati errori durante la post-elaborazione della combinazione delle "
-"Interruzione in corso.\n"
+"regole. Interruzione.\n"
 #: parser_lex.l:180 parser_lex.l:186
 #, c-format
 msgid "Could not process include directory '%s' in '%s'"
-msgstr ""
+msgstr "Impossibile elaborare inclusione directory \"%s\" in \"%s\""
 #: ../parser_main.c:660 ../parser_main.c:523
 msgid "Feature buffer full."
-msgstr ""
+msgstr "Buffer feature pieno."
 #: ../parser_main.c:1115 ../parser_main.c:1132 ../parser_main.c:1024
 #: ../parser_main.c:1041
 msgid "Out of memory"
-msgstr ""
+msgstr "Memoria esaurita"
 #: ../parser_main.c:1182 ../parser_main.c:1091
 #, c-format
@@ -652,22 +664,22 @@ msgstr "Impossibile creare la directory di cache: %s\n"
 #: ../parser_main.c:1185 ../parser_main.c:1094
 #, c-format
 msgid "File in cache directory location: %s\n"
-msgstr ""
+msgstr "File nel percorso della directory di cache: %s\n"
 #: ../parser_main.c:1188 ../parser_main.c:1097
 #, c-format
 msgid "Can't update cache directory: %s\n"
-msgstr ""
+msgstr "Impossibile aggiornare la directory di cache: %s\n"
 #: ../parser_misc.c:833
 #, c-format
 msgid "Internal: unexpected DBus mode character '%c' in input"
-msgstr ""
+msgstr "Interno: modalità caratteri DBus \"%c\" inaspettata in ingresso"
 #: ../parser_misc.c:857
 #, c-format
 msgid "Internal error generated invalid DBus perm 0x%x\n"
-msgstr ""
+msgstr "Un errore interno ha generato un permesso DBus non valido 0x%x\n"
 #: parser_yacc.y:575 parser_yacc.y:621
 msgid "deny prefix not allowed"
@@ -675,24 +687,24 @@ msgstr "prefisso di negazione non consentito"
 #: parser_yacc.y:612 parser_yacc.y:658
 msgid "owner prefix not allowed"
-msgstr "prefisso di proprietà non consentito"
+msgstr "prefisso proprietario non consentito"
 #: parser_yacc.y:660
 msgid "owner prefix not allow on mount rules"
-msgstr "prefisso di proprietà non consentito nelle regole di montaggio"
+msgstr "prefisso proprietario non consentito nelle regole di montaggio"
 #: parser_yacc.y:677
 msgid "owner prefix not allow on dbus rules"
-msgstr "prefisso di proprietà non consentito nelle regole dbus"
+msgstr "prefisso proprietario non consentito nelle regole dbus"
 #: parser_yacc.y:704
 msgid "owner prefix not allow on capability rules"
-msgstr "prefisso di proprietà non consentito nelle regole di funzionalità"
+msgstr "prefisso proprietario non consentito nelle regole di funzionalità"
 #: parser_yacc.y:1357 parser_yacc.y:1613
 #, c-format
 msgid "invalid mount conditional %s%s"
-msgstr ""
+msgstr "montaggio condizionale non valido %s%s"
 #: parser_yacc.y:1374 parser_yacc.y:1628
 msgid "bad mount rule"
@@ -700,94 +712,102 @@ msgstr "regola di montaggio errata"
 #: parser_yacc.y:1381 parser_yacc.y:1635
 msgid "mount point conditions not currently supported"
-msgstr ""
+msgstr "condizioni punti di montaggio attualmente non supportati"
 #: parser_yacc.y:1398 parser_yacc.y:1650
 #, c-format
 msgid "invalid pivotroot conditional '%s'"
-msgstr "pivotroot condizionale non valido '%s'"
+msgstr "condizionale pivotroot \"%s\" non valido"
 #: ../parser_regex.c:241 ../parser_regex.c:236
 #, c-format
 msgid ""
 "%s: Regex grouping error: Invalid close ], no matching open [ detected\n"
 msgstr ""
 "%s: errore raggruppamento espressione regolare: parentesi ] di chiusura non "
 "valida, corrispondente apertura [ non trovata\n"
 #: ../parser_regex.c:257 ../parser_regex.c:256
 #, c-format
 msgid "%s: Regex grouping error: Exceeded maximum nesting of {}\n"
 msgstr ""
 "%s: errore raggruppamento espressione regolare: superata nidificazione "
 "massima di {}\n"
 #: ../parser_policy.c:366 ../parser_policy.c:339
 #, c-format
 msgid "ERROR processing policydb rules for profile %s, failed to load\n"
 msgstr ""
 "ERRORE elaborazione regole policydb per il profilo %s, caricamento non "
 "riuscito\n"
 #: ../parser_policy.c:396 ../parser_policy.c:369
 #, c-format
 msgid "ERROR replacing aliases for profile %s, failed to load\n"
 msgstr ""
 "ERRORE sostituzione alias per il profilo %s, caricamento non riuscito\n"
 #: ../parser_interface.c:635 ../parser_interface.c:638
 #, c-format
 msgid "%s: Unable to write %s\n"
-msgstr ""
+msgstr "%s: impossibile scrivere %s\n"
 #: ../parser_main.c:721
 #, c-format
 msgid "Error: Could not read binary profile or cache file %s: %s.\n"
 msgstr ""
 "Errore: impossibile leggere il profilo binario o il file cache %s: %s.\n"
 #: ../parser_main.c:811
 #, c-format
 msgid "Error: Could not read cache file '%s', skipping...\n"
-msgstr ""
+msgstr "Errore: impossibile leggere il file di cache \"%s\", saltato...\n"
 #: ../parser_misc.c:575
 #, c-format
 msgid "Internal: unexpected %s mode character '%c' in input"
-msgstr ""
+msgstr "Interno: carattere %s di modalità inatteso nell'input \"%c\""
 #: ../parser_misc.c:599
 #, c-format
 msgid "Internal error generated invalid %s perm 0x%x\n"
-msgstr ""
+msgstr "Un errrore interno ha generato un permesso %s non valido 0x%x\n"
 #: parser_yacc.y:703
 msgid "owner prefix not allowed on mount rules"
-msgstr ""
+msgstr "prefisso proprietario non consentito nelle regole di montaggio"
 #: parser_yacc.y:720
 msgid "owner prefix not allowed on dbus rules"
-msgstr ""
+msgstr "prefisso proprietario non consentito nele regole dbus"
 #: parser_yacc.y:736
 msgid "owner prefix not allowed on signal rules"
-msgstr ""
+msgstr "prefisso proprietario non consentito nelle regole di segnale"
 #: parser_yacc.y:752
 msgid "owner prefix not allowed on ptrace rules"
-msgstr ""
+msgstr "prefisso proprietario non consentito nelle regole ptrace"
 #: parser_yacc.y:768
 msgid "owner prefix not allowed on unix rules"
-msgstr ""
+msgstr "prefisso proprietario non consentito nelle regole unix"
 #: parser_yacc.y:794
 msgid "owner prefix not allowed on capability rules"
-msgstr ""
+msgstr "prefisso proprietario non consentito nelle regole di capacità"
 #: parser_yacc.y:1293
 #, c-format
 msgid "dbus rule: invalid conditional group %s=()"
-msgstr ""
+msgstr "regola dbus: gruppo condizionale %s=() non valido"
 #: parser_yacc.y:1371
 #, c-format
 msgid "unix rule: invalid conditional group %s=()"
-msgstr ""
+msgstr "regola unix: gruppo condizionale %s=() non valido"
 #: ../parser_regex.c:368
 #, c-format
 msgid "%s: Regex error: trailing '\\' escape character\n"
-msgstr ""
+msgstr "%s: errore regex: carattere di escape \"\\\" terminante\n"
--- a/parser/rc.apparmor.suse
+++ b/parser/rc.apparmor.suse
@@ -94,12 +94,13 @@ aa_log_skipped_msg() {
 	echo -e	"$rc_skipped"
 }
 _set_status() {
 	return $1
 }
 aa_log_end_msg() {
-	v="-v"
+	_set_status $1
-	if [ "$1" != '0' ]; then
+	rc_status -v
 		rc="-v$1"
 	fi
 	rc_status $v
 }
 usage() {
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -9,6 +9,8 @@ PROVE_ARG=-f
 ifeq ($(VERBOSE),1)
  PROVE_ARG+=-v
  PYTEST_ARG = -v
 else
  VERBOSE=
 endif
 all: tests
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -22,37 +22,51 @@
 set -o pipefail
-APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
+_SCRIPTDIR=$(dirname "${BASH_SOURCE[0]}" )
 APPARMOR_PARSER="${APPARMOR_PARSER:-${_SCRIPTDIR}/../apparmor_parser}"
 fails=0
 errors=0
 verbose="${VERBOSE:-}"
 hash_binary_policy()
 {
-	printf %s "$1" | ${APPARMOR_PARSER} -qS 2>/dev/null| md5sum | cut -d ' ' -f 1
+	printf %s "$1" | ${APPARMOR_PARSER} --features-file ${_SCRIPTDIR}/features_files/features.all -qS 2>/dev/null| md5sum | cut -d ' ' -f 1
 	return $?
 }
-# verify_binary_equality - compares the binary policy of multiple profiles
+# verify_binary - compares the binary policy of multiple profiles
-# $1: A short description of the test
+# $1: Test type (equality or inequality)
-# $2: The known-good profile
+# $2: A short description of the test
-# $3..$n: The profiles to compare against $2
+# $3: The known-good profile
 # $4..$n: The profiles to compare against $3
 #
 # Upon failure/error, prints out the test description and profiles that failed
 # and increments $fails or $errors for each failure and error, respectively
-verify_binary_equality()
+verify_binary()
 {
-	local desc=$1
+	local t=$1
-	local good_profile=$2
+	local desc=$2
 	local good_profile=$3
 	local good_hash
 	local ret=0
 	shift
 	shift
 	shift
-	printf "Binary equality %s" "$desc"
+	if [ "$t" != "equality" ] && [ "$t" != "inequality" ]
 	then
 		printf "\nERROR: Unknown test mode:\n%s\n\n" "$t" 1>&2
 		((errors++))
 		return $((ret + 1))
 	fi
 	if [ -n "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
 	good_hash=$(hash_binary_policy "$good_profile")
 	if [ $? -ne 0 ]
 	then
 		if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
 		printf "\nERROR: Error hashing the following \"known-good\" profile:\n%s\n\n" \
 		       "$good_profile" 1>&2
 		((errors++))
@@ -64,28 +78,54 @@ verify_binary_equality()
 		hash=$(hash_binary_policy "$profile")
 		if [ $? -ne 0 ]
 		then
 			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
 			printf "\nERROR: Error hashing the following profile:\n%s\n\n" \
 			       "$profile" 1>&2
 			((errors++))
 			((ret++))
-		elif [ "$hash" != "$good_hash" ]
+		elif [ "$t" == "equality" ] && [ "$hash" != "$good_hash" ]
 		then
 			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
 			printf "\nFAIL: Hash values do not match\n" 2>&1
 			printf "known-good (%s) != profile-under-test (%s) for the following profile:\n%s\n\n" \
 				"$good_hash" "$hash" "$profile" 1>&2
 			((fails++))
 			((ret++))
 		elif [ "$t" == "inequality" ] && [ "$hash" == "$good_hash" ]
 		then
 			if [ -z "$verbose" ] ; then printf "Binary %s %s" "$t" "$desc" ; fi
 			printf "\nFAIL: Hash values match\n" 2>&1
 			printf "known-good (%s) == profile-under-test (%s) for the following profile:\n%s\n\n" \
 				"$good_hash" "$hash" "$profile" 1>&2
 			((fails++))
 			((ret++))
 		fi
 	done
 	if [ $ret -eq 0 ]
 	then
-		printf " ok\n"
+		if [ -z "$verbose" ] ; then
-	fi
+			printf "."
 		else
 			printf " ok\n"
 		fi
 	fi
 	return $ret
 }
 verify_binary_equality()
 {
 	verify_binary "equality" "$@"
 }
 verify_binary_inequality()
 {
 	verify_binary "inequality" "$@"
 }
 printf "Equality Tests:\n"
 verify_binary_equality "dbus send" \
 	"/t { dbus send, }" \
 	"/t { dbus write, }" \
@@ -225,11 +265,205 @@ verify_binary_equality "dbus minimization found in dbus abstractions" \
                   peer=(name=org.freedesktop.DBus),
 	      dbus send bus=session, }"
 # Rules compatible with audit, deny, and audit deny
 # note: change_profile does not support audit/allow/deny atm
 for rule in "capability" "capability mac_admin" \
 	"network" "network tcp" "network inet6 tcp"\
 	"mount" "mount /a" "mount /a -> /b" "mount options in (ro) /a -> b" \
 	"remount" "remount /a" \
 	"umount" "umount /a" \
 	"pivot_root" "pivot_root /a" "pivot_root oldroot=/" \
 	 "pivot_root oldroot=/ /a" "pivot_root oldroot=/ /a -> foo" \
 	"ptrace" "ptrace trace" "ptrace (readby,tracedby) peer=unconfined" \
 	"signal" "signal (send,receive)" "signal peer=unconfined" \
 	 "signal receive set=(kill)" \
 	"dbus" "dbus send" "dbus bus=system" "dbus bind name=foo" \
 	 "dbus peer=(label=foo)" "dbus eavesdrop" \
 	"unix" "unix (create, listen, accept)" "unix addr=@*" "unix addr=none" \
 	 "unix peer=(label=foo)" \
 	"/f r" "/f w" "/f rwmlk" "/** r" "/**/ w" \
 	"file /f r" "file /f w" "file /f rwmlk" \
 	"link /a -> /b" "link subset /a -> /b" \
 	"l /a -> /b" "l subset /a -> /b" \
 	"file l /a -> /b" "l subset /a -> /b"
 do
 	verify_binary_equality "allow modifier for \"${rule}\"" \
 		"/t { ${rule}, }" \
 		"/t { allow ${rule}, }"
 	verify_binary_equality "audit allow modifier for \"${rule}\"" \
 		"/t { audit ${rule}, }" \
 		"/t { audit allow ${rule}, }"
 	verify_binary_inequality "audit, deny, and audit deny modifiers for \"${rule}\"" \
 		"/t { ${rule}, }" \
 		"/t { audit ${rule}, }" \
 		"/t { audit allow ${rule}, }" \
 		"/t { deny ${rule}, }" \
 		"/t { audit deny ${rule}, }"
 	verify_binary_inequality "audit vs deny and audit deny modifiers for \"${rule}\"" \
 		"/t { audit ${rule}, }" \
 		"/t { deny ${rule}, }" \
 		"/t { audit deny ${rule}, }"
 	verify_binary_inequality "deny and audit deny modifiers for \"${rule}\"" \
 		"/t { deny ${rule}, }" \
 		"/t { audit deny ${rule}, }"
 done
 # Rules that need special treatment for the deny modifier
 for rule in "/f ux" "/f Ux" "/f px" "/f Px" "/f cx" "/f Cx" "/f ix" \
            "/f pux" "/f Pux" "/f pix" "/f Pix" \
            "/f cux" "/f Cux" "/f cix" "/f Cix" \
            "/* ux" "/* Ux" "/* px" "/* Px" "/* cx" "/* Cx" "/* ix" \
            "/* pux" "/* Pux" "/* pix" "/* Pix" \
            "/* cux" "/* Cux" "/* cix" "/* Cix" \
 	    "/f px -> b " "/f Px -> b" "/f cx -> b" "/f Cx -> b" \
            "/f pux -> b" "/f Pux -> b" "/f pix -> b" "/f Pix -> b" \
            "/f cux -> b" "/f Cux -> b" "/f cix -> b" "/f Cix -> b" \
            "/* px -> b" "/* Px -> b" "/* cx -> b" "/* Cx -> b" \
            "/* pux -> b" "/* Pux -> b" "/* pix -> b" "/* Pix -> b" \
            "/* cux -> b" "/* Cux -> b" "/* cix -> b" "/* Cix -> b" \
 	    "file /f ux" "file /f Ux" "file /f px" "file /f Px" \
            "file /f cx" "file /f Cx" "file /f ix" \
            "file /f pux" "file /f Pux" "file /f pix" "file /f Pix" \
            "/f cux" "/f Cux" "/f cix" "/f Cix" \
            "file /* ux" "file /* Ux" "file /* px" "file /* Px" \
            "file /* cx" "file /* Cx" "file /* ix" \
            "file /* pux" "file /* Pux" "file /* pix" "file /* Pix" \
            "file /* cux" "file /* Cux" "file /* cix" "file /* Cix" \
 	    "file /f px -> b " "file /f Px -> b" "file /f cx -> b" "file /f Cx -> b" \
            "file /f pux -> b" "file /f Pux -> b" "file /f pix -> b" "file /f Pix -> b" \
            "file /f cux -> b" "file /f Cux -> b" "file /f cix -> b" "file /f Cix -> b" \
            "file /* px -> b" "file /* Px -> b" "file /* cx -> b" "file /* Cx -> b" \
            "file /* pux -> b" "file /* Pux -> b" "file /* pix -> b" "file /* Pix -> b" \
            "file /* cux -> b" "file /* Cux -> b" "file /* cix -> b" "file /* Cix -> b"
 do
 	verify_binary_equality "allow modifier for \"${rule}\"" \
 		"/t { ${rule}, }" \
 		"/t { allow ${rule}, }"
 	verify_binary_equality "audit allow modifier for \"${rule}\"" \
 		"/t { audit ${rule}, }" \
 		"/t { audit allow ${rule}, }"
 	# skip rules that don't end with x perm
 	if [ -n "${rule##*x}" ] ; then continue ; fi
 	verify_binary_inequality "deny, audit deny modifier for \"${rule}\"" \
 		"/t { ${rule}, }" \
 		"/t { audit ${rule}, }" \
 		"/t { audit allow ${rule}, }" \
 		"/t { deny ${rule% *} x, }" \
 		"/t { audit deny ${rule% *} x, }"
 	verify_binary_inequality "audit vs deny and audit deny modifiers for \"${rule}\"" \
 		"/t { audit ${rule}, }" \
 		"/t { deny ${rule% *} x, }" \
 		"/t { audit deny ${rule% *} x, }"
 done
 # verify deny and audit deny differ for x perms
 for prefix in "/f" "/*" "file /f" "file /*" ; do
 	verify_binary_inequality "deny and audit deny x modifiers for \"${prefix}\"" \
 		"/t { deny ${prefix} x, }" \
 		"/t { audit deny ${prefix} x, }"
 done
 #Test equality of leading and trailing file permissions
 for audit in "" "audit" ; do
 	for allow in "" "allow" "deny" ; do
 		for owner in "" "owner" ; do
 			for f in "" "file" ; do
 				prefix="$audit $allow $owner $f"
 				for perm in "r" "w" "a" "l" "k" "m" "rw" "ra" \
 					    "rl" "rk" "rm" "wl" "wk" "wm" \
 					    "rwl" "rwk" "rwm" "ral" "rak" \
 					    "ram" "rlk" "rlm" "rkm" "wlk" \
 					    "wlm" "wkm" "alk" "alm" "akm" \
 					    "lkm" "rwlk" "rwlm" "rwkm" \
 					    "ralk" "ralm" "wlkm" "alkm" \
 					    "rwlkm" "ralkm" ; do
 					verify_binary_equality "leading and trailing perms for \"${perm}\"" \
 						"/t { ${prefix} /f ${perm}, }" \
 						"/t { ${prefix} ${perm} /f, }"
 				done
 				if [ "$allow" == "deny" ] ; then continue ; fi
 				for perm in "ux" "Ux" "px" "Px" "cx" "Cx" \
 					    "ix" "pux" "Pux" "pix" "Pix" \
 					    "cux" "Cux" "cix" "Cix"
 				do
 					verify_binary_equality "leading and trailing perms for \"${perm}\"" \
 						"/t { ${prefix} /f ${perm}, }" \
 						"/t { ${prefix} ${perm} /f, }"
 				done
 				for perm in "px" "Px" "cx" "Cx" \
 					    "pux" "Pux" "pix" "Pix" \
 					    "cux" "Cux" "cix" "Cix"
 				do
 					verify_binary_equality "leading and trailing perms for x-transition \"${perm}\"" \
 						"/t { ${prefix} /f ${perm} -> b, }" \
 						"/t { ${prefix} ${perm} /f -> b, }"
 				done
 			done
 		done
 	done
 done
 #Test rule overlap for x most specific match
 for perm1 in "ux" "Ux" "px" "Px" "cx" "Cx" "ix" "pux" "Pux" \
 	     "pix" "Pix" "cux" "Cux" "cix" "Cix" "px -> b" \
 	     "Px -> b" "cx -> b" "Cx -> b" "pux -> b" "Pux ->b" \
 	     "pix -> b" "Pix -> b" "cux -> b" "Cux -> b" \
 	     "cix -> b" "Cix -> b"
 do
 	for perm2 in "ux" "Ux" "px" "Px" "cx" "Cx" "ix" "pux" "Pux" \
 		     "pix" "Pix" "cux" "Cux" "cix" "Cix" "px -> b" \
 	             "Px -> b" "cx -> b" "Cx -> b" "pux -> b" "Pux ->b" \
 	             "pix -> b" "Pix -> b" "cux -> b" "Cux -> b" \
 	             "cix -> b" "Cix -> b"
 	do
 		if [ "$perm1" == "$perm2" ] ; then
 			verify_binary_equality "Exec perm \"${perm1}\" - most specific match: same as glob" \
 				"/t { /* ${perm1}, /f ${perm2}, }" \
 				"/t { /* ${perm1}, }"
 		else
 			verify_binary_inequality "Exec \"${perm1}\" vs \"${perm2}\" - most specific match: different from glob" \
 				"/t { /* ${perm1}, /f ${perm2}, }" \
 				"/t { /* ${perm1}, }"
 		fi
 	done
 	verify_binary_inequality "Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
 		"/t { /* ${perm1}, audit deny /f x, }" \
 		"/t { /* ${perm1}, }"
 done
 #Test deny carves out permission
 verify_binary_inequality "Deny removes r perm" \
 		       "/t { /foo/[abc] r, audit deny /foo/b r, }" \
 		       "/t { /foo/[abc] r, }"
 verify_binary_equality "Deny removes r perm" \
 		       "/t { /foo/[abc] r, audit deny /foo/b r, }" \
 		       "/t { /foo/[ac] r, }"
 #this one may not be true in the future depending on if the compiled profile
 #is explicitly including deny permissions for dynamic composition
 verify_binary_equality "Deny of ungranted perm" \
 		       "/t { /foo/[abc] r, audit deny /foo/b w, }" \
 		       "/t { /foo/[abc] r, }"
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
 	exit $(($fails + $errors))
 fi
 [ -z "${verbose}" ] && printf "\n"
 printf "PASS\n"
 exit 0
--- a/parser/tst/simple_tests/conditional/stress_1.sd
+++ b/parser/tst/simple_tests/conditional/stress_1.sd
@@ -1,4 +1,4 @@
-#=DESCRIPTON simple stress test nested ifs
+#=DESCRIPTION simple stress test nested ifs
 #=EXRESULT PASS
 $a1 = true
 $a2 = true
--- a/parser/tst/simple_tests/file/ok_audit_deny_link.sd
+++ b/parser/tst/simple_tests/file/ok_audit_deny_link.sd
@@ -0,0 +1,9 @@
 #
 #=DESCRIPTION simple link access test
 #=EXRESULT PASS
 #
 profile test {
  audit deny link /alpha/beta -> /tmp/**,
 }
--- a/parser/tst/simple_tests/file/ok_deny_link.sd
+++ b/parser/tst/simple_tests/file/ok_deny_link.sd
@@ -0,0 +1,9 @@
 #
 #=DESCRIPTION simple link access test
 #=EXRESULT PASS
 #
 profile test {
  deny link /alpha/beta -> /tmp/**,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_1.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_1.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the invalid "XXX" mount option
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(XXX) /a -> /1,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_10.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_10.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "private" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(private) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_11.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_11.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "slave" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(slave) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_12.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_12.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "shared" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(shared) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_13.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_13.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "runbindable" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(runbindable) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_14.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_14.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "rprivate" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(rprivate) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_15.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_15.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "rslave" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(rslave) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_16.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_16.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "rshared" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(rshared) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_17.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_17.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-unbindable" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-unbindable) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_18.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_18.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-private" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-private) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_19.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_19.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-slave" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-slave) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_2.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_2.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the invalid "suidXXX" mount option
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(suidXXX) /a -> /1,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_20.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_20.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-shared" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-shared) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_21.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_21.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-runbindable" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-runbindable) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_22.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_22.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-rprivate" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-rprivate) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_23.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_23.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-rslave" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-rslave) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_24.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_24.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "make-rshared" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(make-rshared) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_3.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_3.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the invalid "load" mount option
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(load) /a -> /1,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_4.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_4.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the invalid "rec" mount option
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(rec) /a -> /1,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_5.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_5.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the invalid "relative" mount option
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(relative) /a -> /1,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_6.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_6.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the invalid "norelative" mount option
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(norelative) /a -> /1,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_7.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_7.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the invalid "nodirsync" mount option
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(nodirsync) /a -> /1,
 }
--- a/parser/tst/simple_tests/mount/bad_opt_8.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_8.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "remount" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(remount) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/bad_opt_9.sd
+++ b/parser/tst/simple_tests/mount/bad_opt_9.sd
@@ -0,0 +1,6 @@
 #
 #=Description basic rule to test the valid "unbindable" mount opt and an invalid src
 #=EXRESULT FAIL
 /usr/bin/foo {
  mount options=(unbindable) /a -> /1,
  }
--- a/parser/tst/simple_tests/mount/ok_opt_1.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_1.sd
@@ -0,0 +1,8 @@
 #
 #=Description basic rules to test the "ro" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=ro /a -> /1,
  mount options=(ro) /b -> /2,
  mount options in (ro) /d -> /4,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_10.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_10.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "noexec" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=noexec /a -> /1,
  mount options=(noexec) /b -> /2,
  mount options=(rw,noexec) /c -> /3,
  mount options in (noexec) /d -> /4,
  mount options in (ro,noexec) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_11.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_11.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "exec" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=exec /a -> /1,
  mount options=(exec) /b -> /2,
  mount options=(rw,exec) /c -> /3,
  mount options in (exec) /d -> /4,
  mount options in (ro,exec) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_12.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_12.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "sync" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=sync /a -> /1,
  mount options=(sync) /b -> /2,
  mount options=(rw,sync) /c -> /3,
  mount options in (sync) /d -> /4,
  mount options in (ro,sync) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_13.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_13.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "async" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=async /a -> /1,
  mount options=(async) /b -> /2,
  mount options=(rw,async) /c -> /3,
  mount options in (async) /d -> /4,
  mount options in (ro,async) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_14.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_14.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "mand" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=mand /a -> /1,
  mount options=(mand) /b -> /2,
  mount options=(rw,mand) /c -> /3,
  mount options in (mand) /d -> /4,
  mount options in (ro,mand) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_15.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_15.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "nomand" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=nomand /a -> /1,
  mount options=(nomand) /b -> /2,
  mount options=(rw,nomand) /c -> /3,
  mount options in (nomand) /d -> /4,
  mount options in (ro,nomand) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_16.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_16.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "dirsync" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=dirsync /a -> /1,
  mount options=(dirsync) /b -> /2,
  mount options=(rw,dirsync) /c -> /3,
  mount options in (dirsync) /d -> /4,
  mount options in (ro,dirsync) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_17.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_17.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "noatime" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=noatime /a -> /1,
  mount options=(noatime) /b -> /2,
  mount options=(rw,noatime) /c -> /3,
  mount options in (noatime) /d -> /4,
  mount options in (ro,noatime) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_18.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_18.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "atime" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=atime /a -> /1,
  mount options=(atime) /b -> /2,
  mount options=(rw,atime) /c -> /3,
  mount options in (atime) /d -> /4,
  mount options in (ro,atime) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_19.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_19.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "nodiratime" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=nodiratime /a -> /1,
  mount options=(nodiratime) /b -> /2,
  mount options=(rw,nodiratime) /c -> /3,
  mount options in (nodiratime) /d -> /4,
  mount options in (ro,nodiratime) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_2.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_2.sd
@@ -0,0 +1,8 @@
 #
 #=Description basic rules to test the "r" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=r /a -> /1,
  mount options=(r) /b -> /2,
  mount options in (r) /d -> /4,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_20.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_20.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "diratime" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=diratime /a -> /1,
  mount options=(diratime) /b -> /2,
  mount options=(rw,diratime) /c -> /3,
  mount options in (diratime) /d -> /4,
  mount options in (ro,diratime) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_21.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_21.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "bind" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=bind /a -> /1,
  mount options=(bind) /b -> /2,
  mount options=(rw,bind) /c -> /3,
  mount options in (bind) /d -> /4,
  mount options in (ro,bind) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_22.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_22.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "B" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=B /a -> /1,
  mount options=(B) /b -> /2,
  mount options=(rw,B) /c -> /3,
  mount options in (B) /d -> /4,
  mount options in (ro,B) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_23.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_23.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "rbind" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=rbind /a -> /1,
  mount options=(rbind) /b -> /2,
  mount options=(rw,rbind) /c -> /3,
  mount options in (rbind) /d -> /4,
  mount options in (ro,rbind) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_24.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_24.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "R" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=R /a -> /1,
  mount options=(R) /b -> /2,
  mount options=(rw,R) /c -> /3,
  mount options in (R) /d -> /4,
  mount options in (ro,R) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_25.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_25.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "move" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=move /a -> /1,
  mount options=(move) /b -> /2,
  mount options=(rw,move) /c -> /3,
  mount options in (move) /d -> /4,
  mount options in (ro,move) /e -> /5,
 }
--- a/parser/tst/simple_tests/mount/ok_opt_26.sd
+++ b/parser/tst/simple_tests/mount/ok_opt_26.sd
@@ -0,0 +1,10 @@
 #
 #=Description basic rules to test the "M" mount option
 #=EXRESULT PASS
 /usr/bin/foo {
  mount options=M /a -> /1,
  mount options=(M) /b -> /2,
  mount options=(rw,M) /c -> /3,
  mount options in (M) /d -> /4,
  mount options in (ro,M) /e -> /5,
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`Dec 7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`
		`@@ -0,0 +1 @@`
							`type=AVC msg=audit(1449442292.901:961): apparmor="ALLOWED" operation="change_hat" profile="/usr/sbin/httpd{,2}-prefork" pid=8527 comm="httpd-prefork" target="/usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT"`
		`@@ -0,0 +1 @@`
							`Jul 25 15:02:00 redacted kernel: [ 296.524447] audit: type=1400 audit(1437850920.403:64): apparmor="ALLOWED" operation="open" profile="/usr/sbin/vsftpd" name="/home/bane/foo" pid=1811 comm="vsftpd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000`