The deny modifier has been fixed in the 2.11 parser. However, the audit modifier is not properly supported by the backend permission format and will result in equality.sh failing
With the above patch to equality.sh, the failures all involve audit which is being silently dropped in permission encoding: Binary inequality audit, deny, and audit deny modifiers for "change_profile -> unconfined" FAIL: Hash values match known-good (e01d6f3ba173df734864ab965521e195) == profile-under-test (e01d6f3ba173df734864ab965521e195) for the following profile: /t { audit change_profile -> unconfined, } Binary inequality audit, deny, and audit deny modifiers for "change_profile -> unconfined" FAIL: Hash values match known-good (e01d6f3ba173df734864ab965521e195) == profile-under-test (e01d6f3ba173df734864ab965521e195) for the following profile: /t { audit allow change_profile -> unconfined, } .Binary inequality deny and audit deny modifiers for "change_profile -> unconfined" FAIL: Hash values match known-good (0f104a93d8f001f0f780702c8ff255b7) == profile-under-test (0f104a93d8f001f0f780702c8ff255b7) for the following profile: /t { audit deny change_profile -> unconfined, } ..Binary inequality audit, deny, and audit deny modifiers for "change_profile -> /**" FAIL: Hash values match known-good (df13fc0410c7ea6bce4c4ef14cfd504d) == profile-under-test (df13fc0410c7ea6bce4c4ef14cfd504d) for the following profile: /t { audit change_profile -> /**, } Binary inequality audit, deny, and audit deny modifiers for "change_profile -> /**" FAIL: Hash values match known-good (df13fc0410c7ea6bce4c4ef14cfd504d) == profile-under-test (df13fc0410c7ea6bce4c4ef14cfd504d) for the following profile: /t { audit allow change_profile -> /**, } .Binary inequality deny and audit deny modifiers for "change_profile -> /**" FAIL: Hash values match known-good (0f104a93d8f001f0f780702c8ff255b7) == profile-under-test (0f104a93d8f001f0f780702c8ff255b7) for the following profile: /t { audit deny change_profile -> /**, } -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1446794 Title: parser error with 'deny change_profile' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1446794/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs