diff --git a/.bzrignore b/.bzrignore
index 94a209b86..05b4d442a 100644
--- a/.bzrignore
+++ b/.bzrignore
@@ -167,3 +167,4 @@ tests/regression/apparmor/unlink
 tests/regression/apparmor/xattrs
 tests/regression/apparmor/coredump
 **/__pycache__/
+*.orig
diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile
index 497724b0d..092131e46 100644
--- a/changehat/pam_apparmor/Makefile
+++ b/changehat/pam_apparmor/Makefile
@@ -53,7 +53,7 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
   AA_LINK_FLAGS = -L$(LIBAPPARMOR_PATH)
   AA_LDLIBS = -lapparmor
 endif
-EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall $(LIBAPPARMOR_INCLUDE)
+EXTRA_CFLAGS=$(CFLAGS) $(CPPFLAGS) -fPIC -shared -Wall $(LIBAPPARMOR_INCLUDE)
 LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS)
 LIBS=-lpam $(AA_LDLIBS)
 OBJECTS=${NAME}.o get_options.o
diff --git a/libraries/libapparmor/doc/Makefile.am b/libraries/libapparmor/doc/Makefile.am
index 39d741d66..90cc1494c 100644
--- a/libraries/libapparmor/doc/Makefile.am
+++ b/libraries/libapparmor/doc/Makefile.am
@@ -5,9 +5,9 @@ PODCHECKER = podchecker
 
 if ENABLE_MAN_PAGES
 
-man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2
+man_MANS = aa_change_hat.2 aa_change_profile.2 aa_getcon.2 aa_find_mountpoint.2 aa_splitcon.3 aa_query_label.2 aa_features.3 aa_kernel_interface.3 aa_policy_cache.3
 
-PODS = $(subst .2,.pod,$(man_MANS))
+PODS = $(subst .2,.pod,$(man_MANS)) $(subst .3,.pod,$(man_MANS))
 
 EXTRA_DIST = $(man_MANS) $(PODS)
 
@@ -23,4 +23,13 @@ CLEANFILES = $(man_MANS)
 		--stderr \
 		$< > $@
 
+%.3: %.pod
+	$(PODCHECKER) -warnings -warnings $<
+	$(POD2MAN) \
+		--section=3 \
+		--release="AppArmor $(VERSION)" \
+		--center="AppArmor" \
+		--stderr \
+		$< > $@
+
 endif
diff --git a/libraries/libapparmor/doc/aa_features.pod b/libraries/libapparmor/doc/aa_features.pod
new file mode 100644
index 000000000..ffbe113ac
--- /dev/null
+++ b/libraries/libapparmor/doc/aa_features.pod
@@ -0,0 +1,148 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_features - an opaque object representing a set of AppArmor kernel features
+
+aa_features_new - create a new aa_features object based on a path
+
+aa_features_new_from_string - create a new aa_features object based on a string
+
+aa_features_new_from_kernel - create a new aa_features object based on the current kernel
+
+aa_features_ref - increments the ref count of an aa_features object
+
+aa_features_unref - decrements the ref count and frees the aa_features object when 0
+
+aa_features_write_to_file - write a string representation of an aa_features object to a file
+
+aa_features_is_equal - equality test for two aa_features objects
+
+aa_features_supports - provides aa_features object support status
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<typedef struct aa_features aa_features;>
+
+B<int aa_features_new(aa_features **features, int dirfd, const char *path);>
+
+B<int aa_features_new_from_string(aa_features **features, const char *string, size_t size);>
+
+B<int aa_features_new_from_kernel(aa_features **features);>
+
+B<aa_features *aa_features_ref(aa_features *features);>
+
+B<void aa_features_unref(aa_features *features);>
+
+B<int aa_features_write_to_file(aa_features *features, int dirfd, const char *path);>
+
+B<bool aa_features_is_equal(aa_features *features1, aa_features *features2);>
+
+B<bool aa_features_supports(aa_features *features, const char *str);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The I<aa_features> object contains information about the AppArmor features
+supported by a kernel. The feature support information is based upon the files
+AppArmor represents in securityfs, which is typically found at
+/sys/kernel/security/apparmor/features/. That information may be parsed and
+turned into a string or flat file in order to represent a set of features of a
+kernel that is not currently running.
+
+The aa_features_new() function creates an I<aa_features> object based upon a
+directory file descriptor and path. The I<path> can point to a file or
+directory. See the openat(2) man page for examples of I<dirfd> and I<path>. The
+allocated I<features> object must be freed using aa_features_unref().
+
+The aa_features_new_from_string() function is similar except that it accepts a
+NUL-terminated string representation of the AppArmor features as the I<string>
+argument. The length of the features string, not counting the NUL-terminator,
+must be specified as the I<size> argument. The allocated I<features> object
+must be freed using aa_features_unref().
+
+The aa_features_new_from_kernel() function creates an I<aa_features> object
+from the current running kernel. The allocated I<features> object must be freed
+using aa_features_unref().
+
+aa_features_ref() increments the reference count on the I<features> object.
+
+aa_features_unref() decrements the reference count on the I<features> object
+and releases all corresponding resources when the reference count reaches zero.
+
+The aa_features_write_to_file() function writes a string representation of the
+I<features> object to the file specified by the I<dirfd> and I<path>
+combination.
+
+aa_features_is_equal() can be used to detect if the I<features1> and
+I<features2> objects are equal. The definition of equality is private to
+libapparmor and may be changed in ways that do not break backward
+compatibility.
+
+The aa_features_supports() function can be used to query the I<features> object
+to determine if a feature is supported. The I<str> argument should be equal to
+the path, relative to the "apparmor/features/" directory of securityfs, of the
+feature to query. For example, to test if policy version 6 is supported, I<str>
+would be "policy/versions/v6".
+
+=head1 RETURN VALUE
+
+The aa_features_new() family of functions return 0 on success and I<*features>
+will point to an I<aa_features> object that must be freed by
+aa_features_unref(). -1 is returned on error, with errno set appropriately, and
+I<*features> will be set to NULL.
+
+aa_features_ref() returns the value of I<features>.
+
+aa_features_write_to_file() returns 0 on success. -1 is returned on error, with
+errno set appropriately.
+
+aa_features_is_equal() returns true if I<features1> and I<features2> are equal
+and false if they are not equal.
+
+aa_features_supports() returns true if the feature represented by I<str> is
+supported and false if it is not supported.
+
+=head1 ERRORS
+
+The errno value will be set according to the underlying error in the
+I<aa_features> family of functions that return -1 on error.
+
+=head1 NOTES
+
+All aa_features functions described above are present in libapparmor version
+2.10 and newer.
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+openat(2) and L<http://wiki.apparmor.net>.
+
+=cut
diff --git a/libraries/libapparmor/doc/aa_getcon.pod b/libraries/libapparmor/doc/aa_getcon.pod
index d944fecee..32ef61fc8 100644
--- a/libraries/libapparmor/doc/aa_getcon.pod
+++ b/libraries/libapparmor/doc/aa_getcon.pod
@@ -131,7 +131,7 @@ L<https://bugs.launchpad.net/apparmor/+filebug>.
 
 =head1 SEE ALSO
 
-apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2) and
-L<http://wiki.apparmor.net>.
+apparmor(7), apparmor.d(5), apparmor_parser(8), aa_change_profile(2),
+aa_splitcon(3) and L<http://wiki.apparmor.net>.
 
 =cut
diff --git a/libraries/libapparmor/doc/aa_kernel_interface.pod b/libraries/libapparmor/doc/aa_kernel_interface.pod
new file mode 100644
index 000000000..08084c12b
--- /dev/null
+++ b/libraries/libapparmor/doc/aa_kernel_interface.pod
@@ -0,0 +1,162 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_kernel_interface - an opaque object representing the AppArmor kernel interface for policy loading, replacing, and removing
+
+aa_kernel_interface_new - create a new aa_kernel_interface object from an optional path
+
+aa_kernel_interface_ref - increments the ref count of an aa_kernel_interface object
+
+aa_kernel_interface_unref - decrements the ref count and frees the aa_kernel_interface object when 0
+
+aa_kernel_interface_load_policy - load a policy from a buffer into the kernel
+
+aa_kernel_interface_load_policy_from_file - load a policy from a file into the kernel
+
+aa_kernel_interface_load_policy_from_fd - load a policy from a file descriptor into the kernel
+
+aa_kernel_interface_replace_policy - replace a policy in the kernel with a policy from a buffer
+
+aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel with a policy from a file
+
+aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel with a policy from a file descriptor
+
+aa_kernel_interface_remove_policy - remove a policy from the kernel
+
+aa_kernel_interface_write_policy - write a policy to a file descriptor
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<typedef struct aa_kernel_interface aa_kernel_interface;>
+
+B<int aa_kernel_interface_new(aa_kernel_interface **kernel_interface, aa_features *kernel_features, const char *apparmorfs);>
+
+B<aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);>
+
+B<void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);>
+
+B<int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface, const char *buffer, size_t size);>
+
+B<int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface, int dirfd, const char *path);>
+
+B<int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface, int fd);>
+
+B<int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface, const char *buffer, size_t size);>
+
+B<int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface, int dirfd, const char *path);>
+
+B<int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface, int fd);>
+
+B<int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface, const char *fqname);>
+
+B<int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The I<aa_kernel_interface> object contains information about the AppArmor
+kernel interface for policy loading, replacing, and removing.
+
+The aa_kernel_interface_new() function creates an I<aa_kernel_interface> object
+based on an optional I<aa_features> object and an optional path to the apparmor
+directory of securityfs, which is typically found at
+"/sys/kernel/security/apparmor/". If I<kernel_features> is NULL, then the
+features of the current kernel are used. When specifying a valid
+I<kernel_features> object, it must be compatible with the features of the
+currently running kernel. If I<apparmorfs> is NULL, then the default location
+is used. The allocated I<kernel_interface> object must be freed using
+aa_kernel_interface_unref().
+
+aa_kernel_interface_ref() increments the reference count on the
+I<kernel_interface> object.
+
+aa_kernel_interface_unref() decrements the reference count on the
+I<kernel_interface> object and releases all corresponding resources when the
+reference count reaches zero.
+
+The aa_kernel_interface_load() family of functions load a policy into the
+kernel. The operation will fail if a policy of the same name is already loaded.
+Use the aa_kernel_interface_replace() family of functions if you wish to
+replace a previously loaded policy with a new policy of the same name. The
+aa_kernel_interface_replace() functions can also be used to load a policy that
+does not correspond to a previously loaded policy.
+
+When loading or replacing from a buffer, the I<buffer> will contain binary
+data. The I<size> argument must specify the size of the I<buffer> argument.
+
+When loading or replacing from a file, the I<dirfd> and I<path> combination are
+used to specify the location of the file. See the openat(2) man page for
+examples of I<dirfd> and I<path>.
+
+It is also possible to load or replace from a file descriptor specified by the
+I<fd> argument. The file must be open for reading and the file offset must be
+set appropriately.
+
+The aa_kernel_interface_remove_policy() function can be used to unload a
+previously loaded policy. The fully qualified policy name must be specified
+with the I<fqname> argument. The operation will fail if a policy matching
+I<fqname> is not found.
+
+The aa_kernel_interface_write_policy() function allows for a policy, which is
+stored in I<buffer> and consists of I<size> bytes, to be written to a file
+descriptor. The I<fd> must be open for writing and the file offset must be set
+appropriately.
+
+=head1 RETURN VALUE
+
+The aa_kernel_interface_new() function returns 0 on success and
+I<*kernel_interface> will point to an I<aa_kernel_interface> object that must
+be freed by aa_kernel_interface_unref(). -1 is returned on error, with errno
+set appropriately, and I<*kernel_interface> will be set to NULL.
+
+aa_kernel_features_ref() returns the value of I<kernel_features>.
+
+The aa_kernel_interface_load() family of functions, the
+aa_kernel_interface_replace() family of functions,
+aa_kernel_interface_remove(), and aa_kernel_interface_write_policy()
+return 0 on success. -1 is returned on error, with errno set appropriately.
+
+=head1 ERRORS
+
+The errno value will be set according to the underlying error in the
+I<aa_kernel_interface> family of functions that return -1 on error.
+
+=head1 NOTES
+
+All aa_kernel_interface functions described above are present in libapparmor
+version 2.10 and newer.
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa_features(3), openat(2) and L<http://wiki.apparmor.net>.
+
+=cut
diff --git a/libraries/libapparmor/doc/aa_policy_cache.pod b/libraries/libapparmor/doc/aa_policy_cache.pod
new file mode 100644
index 000000000..672d616b1
--- /dev/null
+++ b/libraries/libapparmor/doc/aa_policy_cache.pod
@@ -0,0 +1,125 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_policy_cache - an opaque object representing an AppArmor policy cache
+
+aa_policy_cache_new - create a new aa_policy_cache object from a path
+
+aa_policy_cache_ref - increments the ref count of an aa_policy_cache object
+
+aa_policy_cache_unref - decrements the ref count and frees the aa_policy_cache object when 0
+
+aa_policy_cache_remove - removes all policy cache files under a path
+
+aa_policy_cache_replace_all - performs a kernel policy replacement of all cached policies
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<typedef struct aa_policy_cache aa_policy_cache;>
+
+B<int aa_policy_cache_new(aa_policy_cache **policy_cache, aa_features *kernel_features, int dirfd, const char *path, uint16_t max_caches);>
+
+B<aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache);>
+
+B<void aa_policy_cache_unref(aa_policy_cache *policy_cache);>
+
+B<int aa_policy_cache_remove(int dirfd, const char *path);>
+
+B<int aa_policy_cache_replace_all(aa_policy_cache *policy_cache, aa_kernel_interface *kernel_interface);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The I<aa_policy_cache> object contains information about a set of AppArmor
+policy cache files. The policy cache files are the binary representation of a
+human-readable AppArmor profile. The binary representation is the form that is
+loaded into the kernel.
+
+The aa_policy_cache_new() function creates an I<aa_policy_cache> object based
+upon a directory file descriptor and path. The I<path> must point to a
+directory. See the openat(2) man page for examples of I<dirfd> and I<path>. If
+I<kernel_features> is NULL, then the features of the current kernel are used.
+When specifying a valid I<kernel_features> object, it must be the compatible
+with the features of the kernel of interest. The value of I<max_caches> should
+be equal to the number of caches that should be allowed before old caches are
+automatically reaped. The definition of what is considered to be an old cache
+is private to libapparmor. Specifying 0 means that no new caches should be
+created and only existing, valid caches may be used. Specifying UINT16_MAX
+means that a new cache may be created and that the reaping of old caches is
+disabled. The allocated I<aa_policy_cache> object must be freed using
+aa_policy_cache_unref().
+
+aa_policy_cache_ref() increments the reference count on the I<policy_cache>
+object.
+
+aa_policy_cache_unref() decrements the reference count on the I<policy_cache>
+object and releases all corresponding resources when the reference count
+reaches zero.
+
+The aa_policy_cache_remove() function deletes all of the policy cache files
+based upon a directory file descriptor and path. The I<path> must point to a 
+directory. See the openat(2) man page for examples of I<dirfd> and I<path>.
+
+The aa_policy_cache_replace_all() function can be used to perform a policy
+replacement of all of the cache policies in the cache directory represented by
+the I<policy_cache> object. If I<kernel_interface> is NULL, then the current
+kernel interface is used. When specifying a valid I<kernel_interface> object,
+it must be the interface of the currently running kernel.
+
+=head1 RETURN VALUE
+
+The aa_policy_cache_new() function returns 0 on success and I<*policy_cache>
+will point to an I<aa_policy_cache> object that must be freed by
+aa_policy_cache_unref(). -1 is returned on error, with errno set appropriately,
+and I<*policy_cache> will be set to NULL.
+
+aa_policy_cache_ref() returns the value of I<policy_cache>.
+
+aa_policy_cache_remove() and aa_policy_cache_replace_all() return 0 on success.
+-1 is returned on error, with errno set appropriately.
+
+=head1 ERRORS
+
+The errno value will be set according to the underlying error in the
+I<aa_policy_cache> family of functions that return -1 on error.
+
+=head1 NOTES
+
+All aa_policy_cache functions described above are present in libapparmor
+version 2.10 and newer.
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa_features(3), aa_kernel_interface(3), openat(2) and
+L<http://wiki.apparmor.net>.
+
+=cut
diff --git a/libraries/libapparmor/doc/aa_query_label.pod b/libraries/libapparmor/doc/aa_query_label.pod
new file mode 100644
index 000000000..3e943a7ad
--- /dev/null
+++ b/libraries/libapparmor/doc/aa_query_label.pod
@@ -0,0 +1,137 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_query_label - query access permission associated with a label
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<int aa_query_label((uint32_t mask, char *query, size_t size,
+		int *allowed, int *audited);>
+
+B<int aa_query_file_path((uint32_t mask, const char *label, size_t label_len,
+		const char *path, int *allowed, int *audited);>
+
+B<int aa_query_file_path_len((uint32_t mask, const char *label,
+		size_t label_len, const char *path, size_t path_len,
+		int *allowed, int *audited);>
+
+B<int aa_query_link_path_len(const char *label, size_t label_len,
+			     const char *target, size_t target_len,
+			     const char *link, size_t link_len,
+			     int *allowed, int *audited);>
+
+B<int aa_query_link_path(const char *label, const char *target,
+			 const char *link, int *allowed, int *audited);>
+
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The aa_query_label function fetches the current permissions granted by the
+specified I<label> in the I<query> string.
+
+The query is a raw binary formatted query, containing the label and
+permission query to make. The returned I<allowed> and I<audited> values are
+interpreted boolean values, simple stating whether the query is allowed and
+if it is audited.
+
+The mask of the query string is a bit mask of permissions to query and is
+class type dependent (see AA_CLASS_xxx) entries in I<sys/apparmor.h>.
+
+The format of the query string is also dependent on the B<AA_CLASS> and as
+such the the aa_query_xxx helper functions should usually be used instead
+of directly using I<aa_query_label>. If directly using the interface the
+I<query> string is required to have a header of B<AA_QUERY_CMD_LABEL_SIZE>
+that will be used by I<aa_query_label>.
+
+The B<aa_query_file_path> and B<aa_query_file_path_len> functions are helper
+function that assemble a properly formatted file path query for the
+B<aa_query_label> function. The I<label> is a valid apparmor label as
+returned by I<aa_splitcon> with I<label_len> being the length of the I<label>.
+The I<path> is any valid filesystem path to query permissions for. For the
+B<aa_query_file_path_len> variant the I<path_len> parameter specifies the
+number of bytes in the I<path> to use as part of the query.
+
+The B<aa_query_link_path> and B<aa_query_link_path_len> functions are helper
+functions that assemble a properly formatted link path query for the
+B<aa_query_label> function. The I<link_len> and I<target_len> parameters
+specify the number of bytes in the I<link> and I<target> to use as part of
+the query.
+
+=head1 RETURN VALUE
+
+On success 0 is returned, and the I<allowed> and I<audited> parameters
+contain a boolean value of 0 not allowed/audited or 1 allowed/audited. On
+error, -1 is returned, and errno(3) is set appropriately.
+
+=head1 ERRORS
+
+=over 4
+
+=item B<EINVAL>
+
+The requested I<mask> is empty.
+
+The I<size> of the query is E<lt> the query B<AA_QUER?Y_CMD_LABEL_SIZE>
+
+The apparmor kernel module is not loaded or the he kernel interface access
+interface is not available
+
+=item B<ENOMEM>
+
+Insufficient memory was available.
+
+=item B<EACCES>
+
+Access to the specified I<label> or query interface was denied.
+
+=item B<ENOENT>
+
+The specified I<label> does not exist or is not visible.
+
+=item B<ERANGE>
+
+The confinement data is too large to fit in the supplied buffer.
+
+=back
+
+=head1 NOTES
+
+The label permissions returned are only valid for the time of the
+query and can change at any point in the future.
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+apparmor(7), apparmor.d(5), apparmor_parser(8), aa_getcon(2), aa_splitcon(3)
+and L<http://wiki.apparmor.net>.
+
+=cut
diff --git a/libraries/libapparmor/doc/aa_splitcon.pod b/libraries/libapparmor/doc/aa_splitcon.pod
new file mode 100644
index 000000000..21bdb902d
--- /dev/null
+++ b/libraries/libapparmor/doc/aa_splitcon.pod
@@ -0,0 +1,72 @@
+# This publication is intellectual property of Canonical Ltd. Its contents
+# can be duplicated, either in part or in whole, provided that a copyright
+# label is visibly located on each copy.
+#
+# All information found in this book has been compiled with utmost
+# attention to detail. However, this does not guarantee complete accuracy.
+# Neither Canonical Ltd, the authors, nor the translators shall be held
+# liable for possible errors or the consequences thereof.
+#
+# Many of the software and hardware descriptions cited in this book
+# are registered trademarks. All trade names are subject to copyright
+# restrictions and may be registered trade marks. Canonical Ltd.
+# essentially adhere to the manufacturer's spelling.
+#
+# Names of products and trademarks appearing in this book (with or without
+# specific notation) are likewise subject to trademark and trade protection
+# laws and may thus fall under copyright restrictions.
+#
+
+
+=pod
+
+=head1 NAME
+
+aa_splitcon - split the confinement context into a label and mode
+
+=head1 SYNOPSIS
+
+B<#include E<lt>sys/apparmor.hE<gt>>
+
+B<char *aa_splitcon(char *con, char **mode);>
+
+Link with B<-lapparmor> when compiling.
+
+=head1 DESCRIPTION
+
+The aa_splitcon() function splits a confinement context into separate label
+and mode strings. The @con string is modified so that the label portion is NUL
+terminated. The enforcement mode is also NUL terminated and the parenthesis
+surrounding the mode are removed. If @mode is non-NULL, it will point to the
+first character in the enforcement mode string on success.
+
+The Linux kernel's /proc/E<lt>PIDE<gt>/attr/current interface appends a
+trailing newline character to AppArmor contexts that are read from that file.
+If @con contains a single trailing newline character, it will be stripped by
+aa_splitcon() prior to all other processing.
+
+=head1 RETURN VALUE
+
+Returns a pointer to the first character in the label string. NULL is returned
+on error.
+
+=head1 EXAMPLE
+
+ Context                        Label               Mode 
+ -----------------------------  ------------------  -------
+ unconfined                     unconfined          NULL
+ unconfined\n                   unconfined          NULL
+ /bin/ping (enforce)            /bin/ping           enforce
+ /bin/ping (enforce)\n          /bin/ping           enforce
+ /usr/sbin/rsyslogd (complain)  /usr/sbin/rsyslogd  complain
+
+=head1 BUGS
+
+None known. If you find any, please report them at
+L<https://bugs.launchpad.net/apparmor/+filebug>.
+
+=head1 SEE ALSO
+
+aa_getcon(2) and L<http://wiki.apparmor.net>.
+
+=cut
diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
index 99ce36b96..13a6a8cf0 100644
--- a/libraries/libapparmor/include/sys/apparmor.h
+++ b/libraries/libapparmor/include/sys/apparmor.h
@@ -27,10 +27,31 @@ __BEGIN_DECLS
 /*
  * Class of public mediation types in the AppArmor policy db
  */
-
+#define AA_CLASS_FILE		2
 #define AA_CLASS_DBUS		32
 
 
+/* Permission flags for the AA_CLASS_FILE mediation class */
+#define AA_MAY_EXEC			(1 << 0)
+#define AA_MAY_WRITE			(1 << 1)
+#define AA_MAY_READ			(1 << 2)
+#define AA_MAY_APPEND			(1 << 3)
+#define AA_MAY_CREATE			(1 << 4)
+#define AA_MAY_DELETE			(1 << 5)
+#define AA_MAY_OPEN			(1 << 6)
+#define AA_MAY_RENAME			(1 << 7)
+#define AA_MAY_SETATTR			(1 << 8)
+#define AA_MAY_GETATTR			(1 << 9)
+#define AA_MAY_SETCRED			(1 << 10)
+#define AA_MAY_GETCRED			(1 << 11)
+#define AA_MAY_CHMOD			(1 << 12)
+#define AA_MAY_CHOWN			(1 << 13)
+#define AA_MAY_LOCK			0x8000
+#define AA_EXEC_MMAP			0x10000
+#define AA_MAY_LINK			0x40000
+#define AA_MAY_ONEXEC			0x20000000
+#define AA_MAY_CHANGE_PROFILE		0x40000000
+
 /* Permission flags for the AA_CLASS_DBUS mediation class */
 #define AA_DBUS_SEND			(1 << 1)
 #define AA_DBUS_RECEIVE		 	(1 << 2)
@@ -58,6 +79,7 @@ extern int aa_change_onexec(const char *profile);
 extern int aa_change_hatv(const char *subprofiles[], unsigned long token);
 extern int (aa_change_hat_vargs)(unsigned long token, int count, ...);
 
+extern char *aa_splitcon(char *con, char **mode);
 /* Protypes for introspecting task confinement
  * Please see the aa_getcon(2) manpage for information
  */
@@ -79,6 +101,17 @@ extern int aa_getpeercon(int fd, char **label, char **mode);
 
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);
+extern int aa_query_file_path_len(uint32_t mask, const char *label,
+				  size_t label_len, const char *path,
+				  size_t path_len, int *allowed, int *audited);
+extern int aa_query_file_path(uint32_t mask, const char *label,
+			      const char *path, int *allowed, int *audited);
+extern int aa_query_link_path_len(const char *label, size_t label_len,
+				  const char *target, size_t target_len,
+				  const char *link, size_t link_len,
+				  int *allowed, int *audited);
+extern int aa_query_link_path(const char *label, const char *target,
+			      const char *link, int *allowed, int *audited);
 
 #define __macroarg_counter(Y...) __macroarg_count1 ( , ##Y)
 #define __macroarg_count1(Y...) __macroarg_count2 (Y, 16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0)
@@ -105,52 +138,56 @@ extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 	(aa_change_hat_vargs)(T, __macroarg_counter(X), X)
 
 typedef struct aa_features aa_features;
-int aa_features_new(aa_features **features, const char *path);
-int aa_features_new_from_string(aa_features **features,
-				const char *string, size_t size);
-int aa_features_new_from_kernel(aa_features **features);
-aa_features *aa_features_ref(aa_features *features);
-void aa_features_unref(aa_features *features);
+extern int aa_features_new(aa_features **features, int dirfd, const char *path);
+extern int aa_features_new_from_string(aa_features **features,
+				       const char *string, size_t size);
+extern int aa_features_new_from_kernel(aa_features **features);
+extern aa_features *aa_features_ref(aa_features *features);
+extern void aa_features_unref(aa_features *features);
 
-int aa_features_write_to_file(aa_features *features, const char *path);
-bool aa_features_is_equal(aa_features *features1, aa_features *features2);
-bool aa_features_supports(aa_features *features, const char *str);
+extern int aa_features_write_to_file(aa_features *features,
+				     int dirfd, const char *path);
+extern bool aa_features_is_equal(aa_features *features1,
+				 aa_features *features2);
+extern bool aa_features_supports(aa_features *features, const char *str);
 
 typedef struct aa_kernel_interface aa_kernel_interface;
-int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
+extern int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 			    aa_features *kernel_features,
 			    const char *apparmorfs);
-aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);
-void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);
+extern aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interface);
+extern void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface);
 
-int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
-				    const char *buffer, size_t size);
-int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
-					      const char *path);
-int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
-					    int fd);
-int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
-				       const char *buffer, size_t size);
-int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
-						 const char *path);
-int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
-					       int fd);
-int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
-				      const char *fqname);
-int aa_kernel_interface_write_policy(int fd, const char *buffer, size_t size);
+extern int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
+					   const char *buffer, size_t size);
+extern int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
+						     int dirfd,
+						     const char *path);
+extern int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interface,
+						   int fd);
+extern int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
+					      const char *buffer, size_t size);
+extern int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
+							int dirfd,
+							const char *path);
+extern int aa_kernel_interface_replace_policy_from_fd(aa_kernel_interface *kernel_interface,
+						      int fd);
+extern int aa_kernel_interface_remove_policy(aa_kernel_interface *kernel_interface,
+					     const char *fqname);
+extern int aa_kernel_interface_write_policy(int fd, const char *buffer,
+					    size_t size);
 
 typedef struct aa_policy_cache aa_policy_cache;
-int aa_policy_cache_new(aa_policy_cache **policy_cache,
-			aa_features *kernel_features, const char *path,
-			bool create);
-aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache);
-void aa_policy_cache_unref(aa_policy_cache *policy_cache);
+extern int aa_policy_cache_new(aa_policy_cache **policy_cache,
+			       aa_features *kernel_features,
+			       int dirfd, const char *path,
+			       uint16_t max_caches);
+extern aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache);
+extern void aa_policy_cache_unref(aa_policy_cache *policy_cache);
 
-bool aa_policy_cache_is_valid(aa_policy_cache *policy_cache);
-int aa_policy_cache_create(aa_policy_cache *policy_cache);
-int aa_policy_cache_remove(const char *path);
-int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
-				aa_kernel_interface *kernel_interface);
+extern int aa_policy_cache_remove(int dirfd, const char *path);
+extern int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
+				       aa_kernel_interface *kernel_interface);
 
 __END_DECLS
 
diff --git a/libraries/libapparmor/include/sys/apparmor_private.h b/libraries/libapparmor/include/sys/apparmor_private.h
index 14055dfd7..6472de9f3 100644
--- a/libraries/libapparmor/include/sys/apparmor_private.h
+++ b/libraries/libapparmor/include/sys/apparmor_private.h
@@ -17,13 +17,12 @@
 #ifndef _SYS_APPARMOR_PRIVATE_H
 #define _SYS_APPARMOR_PRIVATE_H	1
 
-#include <dirent.h>
 #include <stdio.h>
 #include <sys/stat.h>
 
 __BEGIN_DECLS
 
-int _aa_is_blacklisted(const char *name, const char *path);
+int _aa_is_blacklisted(const char *name);
 
 void _aa_autofree(void *p);
 void _aa_autoclose(int *fd);
@@ -31,8 +30,8 @@ void _aa_autofclose(FILE **f);
 
 int _aa_asprintf(char **strp, const char *fmt, ...);
 
-int _aa_dirat_for_each(DIR *dir, const char *name, void *data,
-		       int (* cb)(DIR *, const char *, struct stat *, void *));
+int _aa_dirat_for_each(int dirfd, const char *name, void *data,
+		       int (* cb)(int, const char *, struct stat *, void *));
 
 __END_DECLS
 
diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
index 505d1f70b..deca53ed6 100644
--- a/libraries/libapparmor/src/Makefile.am
+++ b/libraries/libapparmor/src/Makefile.am
@@ -67,7 +67,11 @@ tst_aalogmisc_LDADD = .libs/libapparmor.a
 tst_features_SOURCES = tst_features.c
 tst_features_LDADD = .libs/libapparmor.a
 
-check_PROGRAMS = tst_aalogmisc tst_features
+tst_kernel_SOURCES = tst_kernel.c
+tst_kernel_LDADD = .libs/libapparmor.a
+tst_kernel_LDFLAGS = -pthread
+
+check_PROGRAMS = tst_aalogmisc tst_features tst_kernel
 TESTS = $(check_PROGRAMS)
 
 EXTRA_DIST = grammar.y scanner.l libapparmor.map libapparmor.pc
diff --git a/libraries/libapparmor/src/features.c b/libraries/libapparmor/src/features.c
index 88ded730e..4cec6cb03 100644
--- a/libraries/libapparmor/src/features.c
+++ b/libraries/libapparmor/src/features.c
@@ -80,7 +80,70 @@ static int features_snprintf(struct features_struct *fst, const char *fmt, ...)
 	return 0;
 }
 
-static int features_dir_cb(DIR *dir, const char *name, struct stat *st,
+/* load_features_file - opens and reads a file into @buffer and then NUL-terminates @buffer
+ * @dirfd: a directory file descriptory or AT_FDCWD (see openat(2))
+ * @path: name of the file
+ * @buffer: the buffer to read the features file into (will be NUL-terminated on success)
+ * @size: the size of @buffer
+ *
+ * Returns: The number of bytes copied into @buffer on success (not counting
+ * the NUL-terminator), else -1 and errno is set. Note that @size must be
+ * larger than the size of the file or -1 will be returned with errno set to
+ * ENOBUFS indicating that @buffer was not large enough to contain all of the
+ * file contents.
+ */
+static int load_features_file(int dirfd, const char *path,
+			      char *buffer, size_t size)
+{
+	autoclose int file = -1;
+	char *pos = buffer;
+	ssize_t len;
+
+	file = openat(dirfd, path, O_RDONLY);
+	if (file < 0) {
+		PDEBUG("Could not open '%s'\n", path);
+		return -1;
+	}
+	PDEBUG("Opened features \"%s\"\n", path);
+
+	if (!size) {
+		errno = ENOBUFS;
+		return -1;
+	}
+
+	/* Save room for a NUL-terminator at the end of @buffer */
+	size--;
+
+	do {
+		len = read(file, pos, size);
+		if (len > 0) {
+			size -= len;
+			pos += len;
+		}
+	} while (len > 0 && size);
+
+	/**
+	 * Possible error conditions:
+	 *  - len == -1: read failed and errno is already set so return -1
+	 *  - len  >  0: read() never returned 0 (EOF) meaning that @buffer was
+	 *  		 too small to contain all of the file contents so set
+	 *  		 errno to ENOBUFS and return -1
+	 */
+	if (len) {
+		if (len > 0)
+			errno = ENOBUFS;
+
+		PDEBUG("Error reading features file '%s': %m\n", path);
+		return -1;
+	}
+
+	/* NUL-terminate @buffer */
+	*pos = 0;
+
+	return pos - buffer;
+}
+
+static int features_dir_cb(int dirfd, const char *name, struct stat *st,
 			   void *data)
 {
 	struct features_struct *fst = (struct features_struct *) data;
@@ -93,36 +156,16 @@ static int features_dir_cb(DIR *dir, const char *name, struct stat *st,
 		return -1;
 
 	if (S_ISREG(st->st_mode)) {
-		autoclose int file = -1;
 		int len;
 		int remaining = fst->size - (fst->pos - fst->buffer);
 
-		file = openat(dirfd(dir), name, O_RDONLY);
-		if (file == -1) {
-			PDEBUG("Could not open '%s'", name);
+		len = load_features_file(dirfd, name, fst->pos, remaining);
+		if (len < 0)
 			return -1;
-		}
-		PDEBUG("Opened features \"%s\"\n", name);
-		if (st->st_size > remaining) {
-			PDEBUG("Feature buffer full.");
-			errno = ENOBUFS;
-			return -1;
-		}
 
-		do {
-			len = read(file, fst->pos, remaining);
-			if (len > 0) {
-				remaining -= len;
-				fst->pos += len;
-				*fst->pos = 0;
-			}
-		} while (len > 0);
-		if (len < 0) {
-			PDEBUG("Error reading feature file '%s'\n", name);
-			return -1;
-		}
+		fst->pos += len;
 	} else if (S_ISDIR(st->st_mode)) {
-		if (_aa_dirat_for_each(dir, name, fst, features_dir_cb))
+		if (_aa_dirat_for_each(dirfd, name, fst, features_dir_cb))
 			return -1;
 	}
 
@@ -132,40 +175,19 @@ static int features_dir_cb(DIR *dir, const char *name, struct stat *st,
 	return 0;
 }
 
-static int handle_features_dir(const char *filename, char *buffer, int size,
-			       char *pos)
+static int load_features_dir(int dirfd, const char *path,
+			     char *buffer, int size)
 {
-	struct features_struct fst = { buffer, size, pos };
+	struct features_struct fst = { buffer, size, buffer };
 
-	if (_aa_dirat_for_each(NULL, filename, &fst, features_dir_cb)) {
-		PDEBUG("Failed evaluating %s\n", filename);
+	if (_aa_dirat_for_each(dirfd, path, &fst, features_dir_cb)) {
+		PDEBUG("Failed evaluating %s\n", path);
 		return -1;
 	}
 
 	return 0;
 }
 
-static int load_features_file(const char *name, char *buffer, size_t size)
-{
-	autofclose FILE *f = NULL;
-	size_t end;
-
-	f = fopen(name, "r");
-	if (!f)
-		return -1;
-
-	errno = 0;
-	end = fread(buffer, 1, size - 1, f);
-	if (ferror(f)) {
-		if (!errno)
-			errno = EIO;
-		return -1;
-	}
-	buffer[end] = 0;
-
-	return 0;
-}
-
 static bool islbrace(int c)
 {
 	return c == '{';
@@ -334,15 +356,16 @@ static bool walk_one(const char **str, const struct component *component,
 }
 
 /**
- * aa_features_new - create a new features based on a path
+ * aa_features_new - create a new aa_features object based on a path
  * @features: will point to the address of an allocated and initialized
  *            aa_features object upon success
+ * @dirfd: directory file descriptor or AT_FDCWD (see openat(2))
  * @path: path to a features file or directory
  *
  * Returns: 0 on success, -1 on error with errno set and *@features pointing to
  *          NULL
  */
-int aa_features_new(aa_features **features, const char *path)
+int aa_features_new(aa_features **features, int dirfd, const char *path)
 {
 	struct stat stat_file;
 	aa_features *f;
@@ -350,7 +373,7 @@ int aa_features_new(aa_features **features, const char *path)
 
 	*features = NULL;
 
-	if (stat(path, &stat_file) == -1)
+	if (fstatat(dirfd, path, &stat_file, 0) == -1)
 		return -1;
 
 	f = calloc(1, sizeof(*f));
@@ -361,9 +384,9 @@ int aa_features_new(aa_features **features, const char *path)
 	aa_features_ref(f);
 
 	retval = S_ISDIR(stat_file.st_mode) ?
-		 handle_features_dir(path, f->string, STRING_SIZE, f->string) :
-		 load_features_file(path, f->string, STRING_SIZE);
-	if (retval) {
+		 load_features_dir(dirfd, path, f->string, STRING_SIZE) :
+		 load_features_file(dirfd, path, f->string, STRING_SIZE);
+	if (retval == -1) {
 		int save = errno;
 
 		aa_features_unref(f);
@@ -377,7 +400,7 @@ int aa_features_new(aa_features **features, const char *path)
 }
 
 /**
- * aa_features_new_from_string - create a new features based on a string
+ * aa_features_new_from_string - create a new aa_features object based on a string
  * @features: will point to the address of an allocated and initialized
  *            aa_features object upon success
  * @string: a NUL-terminated string representation of features
@@ -412,7 +435,7 @@ int aa_features_new_from_string(aa_features **features,
 }
 
 /**
- * aa_features_new_from_kernel - create a new features based on the current kernel
+ * aa_features_new_from_kernel - create a new aa_features object based on the current kernel
  * @features: will point to the address of an allocated and initialized
  *            aa_features object upon success
  *
@@ -421,11 +444,11 @@ int aa_features_new_from_string(aa_features **features,
  */
 int aa_features_new_from_kernel(aa_features **features)
 {
-	return aa_features_new(features, FEATURES_FILE);
+	return aa_features_new(features, -1, FEATURES_FILE);
 }
 
 /**
- * aa_features_ref - increments the ref count of a features
+ * aa_features_ref - increments the ref count of an aa_features object
  * @features: the features
  *
  * Returns: the features
@@ -437,7 +460,7 @@ aa_features *aa_features_ref(aa_features *features)
 }
 
 /**
- * aa_features_unref - decrements the ref count and frees the features when 0
+ * aa_features_unref - decrements the ref count and frees the aa_features object when 0
  * @features: the features (can be NULL)
  */
 void aa_features_unref(aa_features *features)
@@ -447,21 +470,24 @@ void aa_features_unref(aa_features *features)
 }
 
 /**
- * aa_features_write_to_file - write a string representation to a file
+ * aa_features_write_to_file - write a string representation of an aa_features object to a file
  * @features: the features
+ * @dirfd: directory file descriptor or AT_FDCWD (see openat(2))
  * @path: the path to write to
  *
  * Returns: 0 on success, -1 on error with errno set
  */
-int aa_features_write_to_file(aa_features *features, const char *path)
+int aa_features_write_to_file(aa_features *features,
+			      int dirfd, const char *path)
 {
 	autoclose int fd = -1;
 	size_t size;
 	ssize_t retval;
 	char *string;
 
-	fd = open(path, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC | O_CLOEXEC,
-		  S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+	fd = openat(dirfd, path,
+		    O_WRONLY | O_CREAT | O_TRUNC | O_SYNC | O_CLOEXEC,
+		    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 	if (fd == -1)
 		return -1;
 
@@ -480,7 +506,7 @@ int aa_features_write_to_file(aa_features *features, const char *path)
 }
 
 /**
- * aa_features_is_equal - equality test for two features
+ * aa_features_is_equal - equality test for two aa_features objects
  * @features1: the first features (can be NULL)
  * @features2: the second features (can be NULL)
  *
@@ -493,7 +519,7 @@ bool aa_features_is_equal(aa_features *features1, aa_features *features2)
 }
 
 /**
- * aa_features_supports - provides features support status
+ * aa_features_supports - provides aa_features object support status
  * @features: the features
  * @str: the string representation of a feature to check
  *
diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
index 56d43285a..108e54dac 100644
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -169,6 +169,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %%
 
 log_message: audit_type
+	| dmesg_type
 	| syslog_type
 	| audit_dispatch
 	;
@@ -199,6 +200,10 @@ other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
 	}
 	;
 
+dmesg_type: TOK_DMESG_STAMP TOK_AUDIT TOK_COLON key_type audit_id key_list
+	{ ret_record->version = AA_RECORD_SYNTAX_V2; }
+	;
+
 syslog_type:
 	  syslog_date TOK_ID TOK_SYSLOG_KERNEL audit_id key_list
 	  { ret_record->version = AA_RECORD_SYNTAX_V2; free($2); }
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index 9d5f45df1..a3f8efab9 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -32,6 +32,7 @@
 #include <pthread.h>
 
 #include <sys/apparmor.h>
+#include "private.h"
 
 /* some non-Linux systems do not define a static value */
 #ifndef PATH_MAX
@@ -43,6 +44,9 @@
 #define default_symbol_version(real, name, version) \
 		__asm__ (".symver " #real "," #name "@@" #version)
 
+#define UNCONFINED		"unconfined"
+#define UNCONFINED_SIZE		strlen(UNCONFINED)
+
 /**
  * aa_find_mountpoint - find where the apparmor interface filesystem is mounted
  * @mnt: returns buffer with the mountpoint string
@@ -152,30 +156,89 @@ static char *procattr_path(pid_t pid, const char *attr)
 }
 
 /**
- * parse_confinement_mode - get the mode from the confinement context
+ * parse_unconfined - check for the unconfined label
  * @con: the confinement context
- * @size: size of the confinement context
+ * @size: size of the confinement context (not including the NUL terminator)
  *
- * Modifies con to NUL-terminate the label string and the mode string.
- *
- * Returns: a pointer to the NUL-terminated mode inside the confinement context
- * or NULL if the mode was not found
+ * Returns: True if the con is the unconfined label or false otherwise
  */
-static char *parse_confinement_mode(char *con, int size)
+static bool parse_unconfined(char *con, int size)
 {
-	if (strcmp(con, "unconfined") != 0 &&
-	    size > 4 && con[size - 2] == ')') {
-		int pos = size - 3;
+	return size == UNCONFINED_SIZE &&
+	       strncmp(con, UNCONFINED, UNCONFINED_SIZE) == 0;
+}
+
+/**
+ * splitcon - split the confinement context into a label and mode
+ * @con: the confinement context
+ * @size: size of the confinement context (not including the NUL terminator)
+ * @strip_newline: true if a trailing newline character should be stripped
+ * @mode: if non-NULL and a mode is present, will point to mode string in @con
+ *  on success
+ *
+ * Modifies the @con string to split it into separate label and mode strings.
+ * If @strip_newline is true and @con contains a single trailing newline, it
+ * will be stripped on success (it will not be stripped on error). The @mode
+ * argument is optional. If @mode is NULL, @con will still be split between the
+ * label and mode (if present) but @mode will not be set.
+ *
+ * Returns: a pointer to the label string or NULL on error
+ */
+static char *splitcon(char *con, int size, bool strip_newline, char **mode)
+{
+	char *label = NULL;
+	char *mode_str = NULL;
+	char *newline = NULL;
+
+	if (size == 0)
+		goto out;
+
+	if (strip_newline && con[size - 1] == '\n') {
+		newline = &con[size - 1];
+		size--;
+	}
+
+	if (parse_unconfined(con, size)) {
+		label = con;
+		goto out;
+	}
+
+	if (size > 3 && con[size - 1] == ')') {
+		int pos = size - 2;
 
 		while (pos > 0 && !(con[pos] == ' ' && con[pos + 1] == '('))
 			pos--;
 		if (pos > 0) {
 			con[pos] = 0; /* overwrite ' ' */
-			con[size - 2] = 0; /* overwrite trailing ) */
-			return &con[pos + 2]; /* skip '(' */
+			con[size - 1] = 0; /* overwrite trailing ) */
+			mode_str = &con[pos + 2]; /* skip '(' */
+			label = con;
 		}
 	}
-	return NULL;
+out:
+	if (label && strip_newline && newline)
+		*newline = 0; /* overwrite '\n', if requested, on success */
+	if (mode)
+		*mode = mode_str;
+	return label;
+}
+
+/**
+ * aa_splitcon - split the confinement context into a label and mode
+ * @con: the confinement context
+ * @mode: if non-NULL and a mode is present, will point to mode string in @con
+ *  on success
+ *
+ * Modifies the @con string to split it into separate label and mode strings. A
+ * single trailing newline character will be stripped from @con, if found. The
+ * @mode argument is optional. If @mode is NULL, @con will still be split
+ * between the label and mode (if present) but @mode will not be set.
+ *
+ * Returns: a pointer to the label string or NULL on error
+ */
+char *aa_splitcon(char *con, char **mode)
+{
+	return splitcon(con, strlen(con), true, mode);
 }
 
 /**
@@ -194,7 +257,6 @@ int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 	int rc = -1;
 	int fd, ret;
 	char *tmp = NULL;
-	char *mode_str;
 	int size = 0;
 
 	if (!buf || len <= 0) {
@@ -237,19 +299,20 @@ int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 		goto out;
 	} else if (size > 0 && buf[size - 1] != 0) {
 		/* check for null termination */
-		if (buf[size - 1] == '\n') {
-			buf[size - 1] = 0;
-		} else if (len == 0) {
-			errno = ERANGE;
-			goto out2;
-		} else {
-			buf[size] = 0;
-			size++;
+		if (buf[size - 1] != '\n') {
+			if (len == 0) {
+				errno = ERANGE;
+				goto out2;
+			} else {
+				buf[size] = 0;
+				size++;
+			}
 		}
 
-		mode_str = parse_confinement_mode(buf, size);
-		if (mode)
-			*mode = mode_str;
+		if (splitcon(buf, size, true, mode) != buf) {
+			errno = EINVAL;
+			goto out2;
+		}
 	}
 	rc = size;
 
@@ -588,7 +651,6 @@ int aa_getcon(char **label, char **mode)
 int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode)
 {
 	socklen_t optlen = *len;
-	char *mode_str;
 	int rc;
 
 	if (optlen <= 0 || buf == NULL) {
@@ -614,9 +676,11 @@ int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode)
 		}
 	}
 
-	mode_str = parse_confinement_mode(buf, optlen);
-	if (mode)
-		*mode = mode_str;
+	if (splitcon(buf, optlen - 1, false, mode) != buf) {
+		rc = -1;
+		errno = EINVAL;
+		goto out;
+	}
 
 	rc = optlen;
 out:
@@ -786,3 +850,133 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
 extern typeof((query_label)) __aa_query_label __attribute__((alias ("query_label")));
 symbol_version(__aa_query_label, aa_query_label, APPARMOR_1.1);
 default_symbol_version(query_label, aa_query_label, APPARMOR_2.9);
+
+
+/**
+ * aa_query_file_path_len - query access permissions for a file @path
+ * @mask: permission bits to query
+ * @label: apparmor label
+ * @label_len: length of @label (does not include any terminating nul byte)
+ * @path: file path to query permissions for
+ * @path_len: length of @path (does not include any terminating nul byte)
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ *           if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ *          ENOENT, the subject label in the query string is unknown to the
+ *          kernel.
+ */
+int aa_query_file_path_len(uint32_t mask, const char *label, size_t label_len,
+			   const char *path, size_t path_len, int *allowed,
+			   int *audited)
+{
+	autofree char *query = NULL;
+
+	/* + 1 for null separator */
+	size_t size = AA_QUERY_CMD_LABEL_SIZE + label_len + 1 + path_len;
+	query = malloc(size + 1);
+	if (!query)
+		return -1;
+	memcpy(query + AA_QUERY_CMD_LABEL_SIZE, label, label_len);
+	/* null separator */
+	query[AA_QUERY_CMD_LABEL_SIZE + label_len] = 0;
+	query[AA_QUERY_CMD_LABEL_SIZE + label_len + 1] = AA_CLASS_FILE;
+	memcpy(query + AA_QUERY_CMD_LABEL_SIZE + label_len + 2, path, path_len);
+	return aa_query_label(mask, query, size , allowed, audited);
+}
+
+/**
+ * aa_query_file_path - query access permissions for a file @path
+ * @mask: permission bits to query
+ * @label: apparmor label
+ * @path: file path to query permissions for
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ *           if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ *          ENOENT, the subject label in the query string is unknown to the
+ *          kernel.
+ */
+int aa_query_file_path(uint32_t mask, const char *label, const char *path,
+		       int *allowed, int *audited)
+{
+	return aa_query_file_path_len(mask, label, strlen(label), path,
+				      strlen(path), allowed, audited);
+}
+
+/**
+ * aa_query_link_path_len - query access permissions for a hard link @link
+ * @label: apparmor label
+ * @label_len: length of @label (does not include any terminating nul byte)
+ * @target: file path that hard link will point to
+ * @target_len: length of @target (does not include any terminating nul byte)
+ * @link: file path of hard link
+ * @link_len: length of @link (does not include any terminating nul byte)
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ *           if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ *          ENOENT, the subject label in the query string is unknown to the
+ *          kernel.
+ */
+int aa_query_link_path_len(const char *label, size_t label_len,
+			   const char *target, size_t target_len,
+			   const char *link, size_t link_len,
+			   int *allowed, int *audited)
+{
+	autofree char *query = NULL;
+	int rc;
+
+	/* + 1 for null separators */
+	size_t size = AA_QUERY_CMD_LABEL_SIZE + label_len + 1 + target_len +
+		1 + link_len;
+	size_t pos = AA_QUERY_CMD_LABEL_SIZE;
+
+	query = malloc(size);
+	if (!query)
+		return -1;
+	memcpy(query + pos, label, label_len);
+	/* null separator */
+	pos += label_len;
+	query[pos] = 0;
+	query[++pos] = AA_CLASS_FILE;
+	memcpy(query + pos + 1, link, link_len);
+	/* The kernel does the query in two parts we could similate this
+	 * doing the following, however as long as policy is compiled
+	 * correctly this isn't requied, and it requires and extra round
+	 * trip to the kernel and adds a race on policy replacement between
+	 * the two queries.
+	 *
+	rc = aa_query_label(AA_MAY_LINK, query, size, allowed, audited);
+	if (rc || !*allowed)
+		return rc;
+	*/
+	pos += 1 + link_len;
+	query[pos] = 0;
+	memcpy(query + pos + 1, target, target_len);
+	return aa_query_label(AA_MAY_LINK, query, size, allowed, audited);
+}
+
+/**
+ * aa_query_link_path - query access permissions for a hard link @link
+ * @label: apparmor label
+ * @target: file path that hard link will point to
+ * @link: file path of hard link
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ *           if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ *          ENOENT, the subject label in the query string is unknown to the
+ *          kernel.
+ */
+int aa_query_link_path(const char *label, const char *target, const char *link,
+		       int *allowed, int *audited)
+{
+	return aa_query_link_path_len(label, strlen(label), target,
+				      strlen(target), link, strlen(link),
+				      allowed, audited);
+}
diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
index 6ab20ea36..d558ee1a0 100644
--- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -183,11 +183,12 @@ static int write_policy_fd_to_iface(aa_kernel_interface *kernel_interface,
 }
 
 static int write_policy_file_to_iface(aa_kernel_interface *kernel_interface,
-				      const char *iface_file, const char *path)
+				      const char *iface_file,
+				      int dirfd, const char *path)
 {
 	autoclose int fd;
 
-	fd = open(path, O_RDONLY);
+	fd = openat(dirfd, path, O_RDONLY);
 	if (fd == -1)
 		return -1;
 
@@ -195,10 +196,12 @@ static int write_policy_file_to_iface(aa_kernel_interface *kernel_interface,
 }
 
 /**
- * aa_kernel_interface_new - create a new kernel_interface from an optional path
+ * aa_kernel_interface_new - create a new aa_kernel_interface object from an optional path
  * @kernel_interface: will point to the address of an allocated and initialized
  *                    aa_kernel_interface object upon success
- * @kernel_features: features representing the currently running kernel
+ * @kernel_features: features representing the currently running kernel (can be
+ *                   NULL and the features of the currently running kernel will
+ *                   be used)
  * @apparmorfs: path to the apparmor directory of the mounted securityfs (can
  *              be NULL and the path will be auto discovered)
  *
@@ -223,9 +226,17 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 	aa_kernel_interface_ref(ki);
 	ki->dirfd = -1;
 
-	ki->supports_setload = kernel_features ?
-			       aa_features_supports(kernel_features, set_load) :
-			       false;
+	if (kernel_features) {
+		aa_features_ref(kernel_features);
+	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
+		int save = errno;
+
+		aa_kernel_interface_unref(ki);
+		errno = save;
+		return -1;
+	}
+	ki->supports_setload = aa_features_supports(kernel_features, set_load);
+	aa_features_unref(kernel_features);
 
 	if (!apparmorfs) {
 		if (find_iface_dir(&alloced_apparmorfs) == -1) {
@@ -255,7 +266,7 @@ int aa_kernel_interface_new(aa_kernel_interface **kernel_interface,
 }
 
 /**
- * aa_kernel_interface_ref - increments the ref count of a kernel_interface
+ * aa_kernel_interface_ref - increments the ref count of an aa_kernel_interface object
  * @kernel_interface: the kernel_interface
  *
  * Returns: the kernel_interface
@@ -267,7 +278,7 @@ aa_kernel_interface *aa_kernel_interface_ref(aa_kernel_interface *kernel_interfa
 }
 
 /**
- * aa_kernel_interface_unref - decrements the ref count and frees the kernel_interface when 0
+ * aa_kernel_interface_unref - decrements the ref count and frees the aa_kernel_interface object when 0
  * @kernel_interface: the kernel_interface (can be NULL)
  */
 void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
@@ -280,7 +291,7 @@ void aa_kernel_interface_unref(aa_kernel_interface *kernel_interface)
 }
 
 /**
- * aa_kernel_interface_load_policy - load a policy into the kernel
+ * aa_kernel_interface_load_policy - load a policy from a buffer into the kernel
  * @kernel_interface: valid aa_kernel_interface
  * @buffer: a buffer containing a policy
  * @size: the size of the buffer
@@ -295,21 +306,21 @@ int aa_kernel_interface_load_policy(aa_kernel_interface *kernel_interface,
 }
 
 /**
- * aa_kernel_interface_load_policy_from_file - load a policy into the kernel
+ * aa_kernel_interface_load_policy_from_file - load a policy from a file into the kernel
  * @kernel_interface: valid aa_kernel_interface
  * @path: path to a policy binary
  *
  * Returns: 0 on success, -1 on error with errno set
  */
 int aa_kernel_interface_load_policy_from_file(aa_kernel_interface *kernel_interface,
-					      const char *path)
+					      int dirfd, const char *path)
 {
 	return write_policy_file_to_iface(kernel_interface, AA_IFACE_FILE_LOAD,
-					  path);
+					  dirfd, path);
 }
 
 /**
- * aa_kernel_interface_load_policy_from_fd - load a policy into the kernel
+ * aa_kernel_interface_load_policy_from_fd - load a policy from a file descriptor into the kernel
  * @kernel_interface: valid aa_kernel_interface
  * @fd: a pre-opened, readable file descriptor at the correct offset
  *
@@ -323,7 +334,7 @@ int aa_kernel_interface_load_policy_from_fd(aa_kernel_interface *kernel_interfac
 }
 
 /**
- * aa_kernel_interface_replace_policy - replace a policy in the kernel
+ * aa_kernel_interface_replace_policy - replace a policy in the kernel with a policy from a buffer
  * @kernel_interface: valid aa_kernel_interface
  * @buffer: a buffer containing a policy
  * @size: the size of the buffer
@@ -339,21 +350,21 @@ int aa_kernel_interface_replace_policy(aa_kernel_interface *kernel_interface,
 }
 
 /**
- * aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel
+ * aa_kernel_interface_replace_policy_from_file - replace a policy in the kernel with a policy from a file
  * @kernel_interface: valid aa_kernel_interface
  * @path: path to a policy binary
  *
  * Returns: 0 on success, -1 on error with errno set
  */
 int aa_kernel_interface_replace_policy_from_file(aa_kernel_interface *kernel_interface,
-						 const char *path)
+						 int dirfd, const char *path)
 {
 	return write_policy_file_to_iface(kernel_interface,
-					  AA_IFACE_FILE_REPLACE, path);
+					  AA_IFACE_FILE_REPLACE, dirfd, path);
 }
 
 /**
- * aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel
+ * aa_kernel_interface_replace_policy_from_fd - replace a policy in the kernel with a policy from a file descriptor
  * @kernel_interface: valid aa_kernel_interface
  * @fd: a pre-opened, readable file descriptor at the correct offset
  *
diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
index 3f434941f..98d97ea4b 100644
--- a/libraries/libapparmor/src/libapparmor.map
+++ b/libraries/libapparmor/src/libapparmor.map
@@ -54,6 +54,10 @@ APPARMOR_2.9 {
 
 APPARMOR_2.10 {
   global:
+        aa_query_file_path;
+        aa_query_file_path_len;
+        aa_query_link_path;
+        aa_query_link_path_len;
         aa_features_new;
         aa_features_new_from_string;
         aa_features_new_from_kernel;
@@ -76,10 +80,9 @@ APPARMOR_2.10 {
         aa_policy_cache_new;
         aa_policy_cache_ref;
         aa_policy_cache_unref;
-        aa_policy_cache_is_valid;
-        aa_policy_cache_create;
         aa_policy_cache_remove;
         aa_policy_cache_replace_all;
+        aa_splitcon;
   local:
         *;
 } APPARMOR_2.9;
diff --git a/libraries/libapparmor/src/policy_cache.c b/libraries/libapparmor/src/policy_cache.c
index a9e43bbed..56394f70a 100644
--- a/libraries/libapparmor/src/policy_cache.c
+++ b/libraries/libapparmor/src/policy_cache.c
@@ -16,8 +16,8 @@
  *   Ltd.
  */
 
-#include <dirent.h>
 #include <errno.h>
+#include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -28,20 +28,21 @@
 
 #include "private.h"
 
+#define CACHE_FEATURES_FILE	".features"
+
 struct aa_policy_cache {
 	unsigned int ref_count;
 	aa_features *features;
 	aa_features *kernel_features;
-	char *path;
-	char *features_path;
+	int dirfd;
 };
 
-static int clear_cache_cb(DIR *dir, const char *path, struct stat *st,
+static int clear_cache_cb(int dirfd, const char *path, struct stat *st,
 			  void *data unused)
 {
 	/* remove regular files */
 	if (S_ISREG(st->st_mode))
-		return unlinkat(dirfd(dir), path, 0);
+		return unlinkat(dirfd, path, 0);
 
 	/* do nothing with other file types */
 	return 0;
@@ -49,52 +50,44 @@ static int clear_cache_cb(DIR *dir, const char *path, struct stat *st,
 
 static int create_cache(aa_policy_cache *policy_cache, aa_features *features)
 {
-	struct stat stat_file;
-	autofclose FILE * f = NULL;
+	if (aa_policy_cache_remove(policy_cache->dirfd, "."))
+		return -1;
 
-	if (aa_policy_cache_remove(policy_cache->path))
-		goto error;
-
-create_file:
-	if (aa_features_write_to_file(features,
-				      policy_cache->features_path) == -1)
-		goto error;
+	if (aa_features_write_to_file(features, policy_cache->dirfd,
+				      CACHE_FEATURES_FILE) == -1)
+		return -1;
 
 	aa_features_unref(policy_cache->features);
 	policy_cache->features = aa_features_ref(features);
 	return 0;
-
-error:
-	/* does the dir exist? */
-	if (stat(policy_cache->path, &stat_file) == -1) {
-		if (mkdir(policy_cache->path, 0700) == 0)
-			goto create_file;
-		PERROR("Can't create cache directory: %s\n",
-		       policy_cache->path);
-	} else if (!S_ISDIR(stat_file.st_mode)) {
-		PERROR("File in cache directory location: %s\n",
-		       policy_cache->path);
-	} else {
-		PERROR("Can't update cache directory: %s\n",
-		       policy_cache->path);
-	}
-
-	return -1;
 }
 
 static int init_cache_features(aa_policy_cache *policy_cache,
 			       aa_features *kernel_features, bool create)
 {
-	if (aa_features_new(&policy_cache->features,
-			    policy_cache->features_path)) {
+	bool call_create_cache = false;
+
+	if (aa_features_new(&policy_cache->features, policy_cache->dirfd,
+			    CACHE_FEATURES_FILE)) {
 		policy_cache->features = NULL;
 		if (!create || errno != ENOENT)
 			return -1;
 
-		return create_cache(policy_cache, kernel_features);
+		/* The cache directory needs to be created */
+		call_create_cache = true;
+	} else if (!aa_features_is_equal(policy_cache->features,
+					 kernel_features)) {
+		if (!create) {
+			errno = EEXIST;
+			return -1;
+		}
+
+		/* The cache directory needs to be refreshed */
+		call_create_cache = true;
 	}
 
-	return 0;
+	return call_create_cache ?
+		create_cache(policy_cache, kernel_features) : 0;
 }
 
 struct replace_all_cb_data {
@@ -102,45 +95,46 @@ struct replace_all_cb_data {
 	aa_kernel_interface *kernel_interface;
 };
 
-static int replace_all_cb(DIR *dir unused, const char *name, struct stat *st,
+static int replace_all_cb(int dirfd unused, const char *name, struct stat *st,
 			 void *cb_data)
 {
 	int retval = 0;
 
-	if (!S_ISDIR(st->st_mode) && !_aa_is_blacklisted(name, NULL)) {
+	if (!S_ISDIR(st->st_mode) && !_aa_is_blacklisted(name)) {
 		struct replace_all_cb_data *data;
-		autofree char *path = NULL;
 
 		data = (struct replace_all_cb_data *) cb_data;
-		if (asprintf(&path, "%s/%s",
-			     data->policy_cache->path, name) < 0) {
-			path = NULL;
-			errno = ENOMEM;
-			return -1;
-		}
 		retval = aa_kernel_interface_replace_policy_from_file(data->kernel_interface,
-								      path);
+								      data->policy_cache->dirfd,
+								      name);
 	}
 
 	return retval;
 }
 
 /**
- * aa_policy_cache_new - create a new policy_cache from a path
+ * aa_policy_cache_new - create a new aa_policy_cache object from a path
  * @policy_cache: will point to the address of an allocated and initialized
  *                aa_policy_cache_new object upon success
- * @kernel_features: features representing the currently running kernel
+ * @kernel_features: features representing a kernel (may be NULL if you want to
+ *                   use the features of the currently running kernel)
+ * @dirfd: directory file descriptor or AT_FDCWD (see openat(2))
  * @path: path to the policy cache
- * @create: true if the cache should be created if it doesn't already exist
+ * @max_caches: The maximum number of policy caches, one for each unique set of
+ *              kernel features, before older caches are auto-reaped. 0 means
+ *              that no new caches should be created (existing, valid caches
+ *              will be used) and auto-reaping is disabled. UINT16_MAX means
+ *              that a cache can be created and auto-reaping is disabled.
  *
  * Returns: 0 on success, -1 on error with errno set and *@policy_cache
  *          pointing to NULL
  */
 int aa_policy_cache_new(aa_policy_cache **policy_cache,
-			aa_features *kernel_features, const char *path,
-			bool create)
+			aa_features *kernel_features,
+			int dirfd, const char *path, uint16_t max_caches)
 {
 	aa_policy_cache *pc;
+	bool create = max_caches > 0;
 
 	*policy_cache = NULL;
 
@@ -149,26 +143,51 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 		return -1;
 	}
 
+	if (max_caches > 1) {
+		errno = ENOTSUP;
+		return -1;
+	}
+
 	pc = calloc(1, sizeof(*pc));
 	if (!pc) {
 		errno = ENOMEM;
 		return -1;
 	}
+	pc->dirfd = -1;
 	aa_policy_cache_ref(pc);
 
-	pc->path = strdup(path);
-	if (!pc->path) {
+open:
+	pc->dirfd = openat(dirfd, path, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
+	if (pc->dirfd < 0) {
+		int save;
+
+		/* does the dir exist? */
+		if (create && errno == ENOENT) {
+			if (mkdirat(dirfd, path, 0700) == 0)
+				goto open;
+			PERROR("Can't create cache directory '%s': %m\n", path);
+		} else if (create) {
+			PERROR("Can't update cache directory '%s': %m\n", path);
+		} else {
+			PDEBUG("Cache directory '%s' does not exist\n", path);
+		}
+
+		save = errno;
 		aa_policy_cache_unref(pc);
-		errno = ENOMEM;
+		errno = save;
 		return -1;
 	}
 
-	if (asprintf(&pc->features_path, "%s/.features", pc->path) == -1) {
-		pc->features_path = NULL;
+	if (kernel_features) {
+		aa_features_ref(kernel_features);
+	} else if (aa_features_new_from_kernel(&kernel_features) == -1) {
+		int save = errno;
+
 		aa_policy_cache_unref(pc);
-		errno = ENOMEM;
+		errno = save;
 		return -1;
 	}
+	pc->kernel_features = kernel_features;
 
 	if (init_cache_features(pc, kernel_features, create)) {
 		int save = errno;
@@ -178,14 +197,13 @@ int aa_policy_cache_new(aa_policy_cache **policy_cache,
 		return -1;
 	}
 
-	pc->kernel_features = aa_features_ref(kernel_features);
 	*policy_cache = pc;
 
 	return 0;
 }
 
 /**
- * aa_policy_cache_ref - increments the ref count of a policy_cache
+ * aa_policy_cache_ref - increments the ref count of an aa_policy_cache object
  * @policy_cache: the policy_cache
  *
  * Returns: the policy_cache
@@ -197,60 +215,38 @@ aa_policy_cache *aa_policy_cache_ref(aa_policy_cache *policy_cache)
 }
 
 /**
- * aa_policy_cache_unref - decrements the ref count and frees the policy_cache when 0
+ * aa_policy_cache_unref - decrements the ref count and frees the aa_policy_cache object when 0
  * @policy_cache: the policy_cache (can be NULL)
  */
 void aa_policy_cache_unref(aa_policy_cache *policy_cache)
 {
 	if (policy_cache && atomic_dec_and_test(&policy_cache->ref_count)) {
-		aa_features_unref(policy_cache->kernel_features);
 		aa_features_unref(policy_cache->features);
-		free(policy_cache->features_path);
-		free(policy_cache->path);
+		aa_features_unref(policy_cache->kernel_features);
+		if (policy_cache->dirfd != -1)
+			close(policy_cache->dirfd);
 		free(policy_cache);
 	}
 }
 
-/**
- * aa_policy_cache_is_valid - checks if the policy_cache is valid for the currently running kernel
- * @policy_cache: the policy_cache
- *
- * Returns: true if the policy_cache is valid for the currently running kernel,
- *          false if not
- */
-bool aa_policy_cache_is_valid(aa_policy_cache *policy_cache)
-{
-	return aa_features_is_equal(policy_cache->features,
-				    policy_cache->kernel_features);
-}
-
-/**
- * aa_policy_cache_create - creates a valid policy_cache for the currently running kernel
- * @policy_cache: the policy_cache
- *
- * Returns: 0 on success, -1 on error with errno set and features pointing to
- *          NULL
- */
-int aa_policy_cache_create(aa_policy_cache *policy_cache)
-{
-	return create_cache(policy_cache, policy_cache->kernel_features);
-}
-
 /**
  * aa_policy_cache_remove - removes all policy cache files under a path
+ * @dirfd: directory file descriptor or AT_FDCWD (see openat(2))
  * @path: the path to a policy cache directory
  *
  * Returns: 0 on success, -1 on error with errno set
  */
-int aa_policy_cache_remove(const char *path)
+int aa_policy_cache_remove(int dirfd, const char *path)
 {
-	return _aa_dirat_for_each(NULL, path, NULL, clear_cache_cb);
+	return _aa_dirat_for_each(dirfd, path, NULL, clear_cache_cb);
 }
 
 /**
  * aa_policy_cache_replace_all - performs a kernel policy replacement of all cached policies
  * @policy_cache: the policy_cache
  * @kernel_interface: the kernel interface to use when doing the replacement
+ *                    (may be NULL if the currently running kernel features
+ *                    were used when calling aa_policy_cache_new())
  *
  * Returns: 0 on success, -1 on error with errno set and features pointing to
  *          NULL
@@ -272,7 +268,7 @@ int aa_policy_cache_replace_all(aa_policy_cache *policy_cache,
 
 	cb_data.policy_cache = policy_cache;
 	cb_data.kernel_interface = kernel_interface;
-	retval = _aa_dirat_for_each(NULL, policy_cache->path, &cb_data,
+	retval = _aa_dirat_for_each(policy_cache->dirfd, ".", &cb_data,
 				    replace_all_cb);
 
 	aa_kernel_interface_unref(kernel_interface);
diff --git a/libraries/libapparmor/src/private.c b/libraries/libapparmor/src/private.c
index f078f2887..9378e2243 100644
--- a/libraries/libapparmor/src/private.c
+++ b/libraries/libapparmor/src/private.c
@@ -107,16 +107,15 @@ bool atomic_dec_and_test(unsigned int *v)
 	return __sync_sub_and_fetch(v, 1) == 0;
 }
 
-int _aa_is_blacklisted(const char *name, const char *path)
+int _aa_is_blacklisted(const char *name)
 {
-	int name_len;
+	size_t name_len = strlen(name);
 	struct ignored_suffix_t *suffix;
 
 	/* skip dot files and files with no name */
-	if (*name == '.' || !strlen(name))
+	if (!name_len || *name == '.' || !strcmp(name, "README"))
 		return 1;
 
-	name_len = strlen(name);
 	/* skip blacklisted suffixes */
 	for (suffix = ignored_suffixes; suffix->text; suffix++) {
 		char *found;
@@ -170,25 +169,31 @@ int _aa_asprintf(char **strp, const char *fmt, ...)
 	return rc;
 }
 
+static int dot_or_dot_dot_filter(const struct dirent *ent)
+{
+	if (strcmp(ent->d_name, ".") == 0 ||
+	    strcmp(ent->d_name, "..") == 0)
+		return 0;
+
+	return 1;
+}
+
 /**
  * _aa_dirat_for_each: iterate over a directory calling cb for each entry
- * @dir: already opened directory (MAY BE NULL)
- * @name: name of the directory (MAY BE NULL)
+ * @dirfd: already opened directory
+ * @name: name of the directory (NOT NULL)
  * @data: data pointer to pass to the callback fn (MAY BE NULL)
  * @cb: the callback to pass entry too (NOT NULL)
  *
  * Iterate over the entries in a directory calling cb for each entry.
- * The directory to iterate is determined by a combination of @dir and
+ * The directory to iterate is determined by a combination of @dirfd and
  * @name.
  *
- * IF @name is a relative path it is determine relative to at @dir if it
- * is specified, else it the lookup is done relative to the current
- * working directory.
+ * See the openat section of the open(2) man page for details on valid @dirfd
+ * and @name combinations. This function does accept AT_FDCWD as @dirfd if
+ * @name should be considered relative to the current working directory.
  *
- * If @name is not specified then @dir is used as the directory to iterate
- * over.
- *
- * It is an error if both @name and @dir are null
+ * Pass "." for @name if @dirfd is the directory to iterate over.
  *
  * The cb function is called with the DIR in use and the name of the
  * file in that directory.  If the file is to be opened it should
@@ -196,88 +201,52 @@ int _aa_asprintf(char **strp, const char *fmt, ...)
  *
  * Returns: 0 on success, else -1 and errno is set to the error code
  */
-int _aa_dirat_for_each(DIR *dir, const char *name, void *data,
-		       int (* cb)(DIR *, const char *, struct stat *, void *))
+int _aa_dirat_for_each(int dirfd, const char *name, void *data,
+		       int (* cb)(int, const char *, struct stat *, void *))
 {
-	autofree struct dirent *dirent = NULL;
-	DIR *d = NULL;
-	int error;
+	autofree struct dirent **namelist = NULL;
+	autoclose int cb_dirfd = -1;
+	int i, num_dirs, rc;
 
-	if (!cb || (!dir && !name)) {
+	if (!cb || !name) {
 		errno = EINVAL;
 		return -1;
 	}
 
-	if (dir && (!name || *name != '/')) {
-		dirent = (struct dirent *)
-			malloc(offsetof(struct dirent, d_name) +
-			       fpathconf(dirfd(dir), _PC_NAME_MAX) + 1);
-	} else {
-		dirent = (struct dirent *)
-			malloc(offsetof(struct dirent, d_name) +
-			       pathconf(name, _PC_NAME_MAX) + 1);
-	}
-	if (!dirent) {
-		errno = ENOMEM;
-		PDEBUG("could not alloc dirent: %m\n");
+	cb_dirfd = openat(dirfd, name, O_RDONLY | O_CLOEXEC | O_DIRECTORY);
+	if (cb_dirfd == -1) {
+		PDEBUG("could not open directory '%s': %m\n", name);
 		return -1;
 	}
 
-	if (name) {
-		if (dir && *name != '/') {
-			int fd = openat(dirfd(dir), name, O_RDONLY);
-			if (fd == -1)
-				goto fail;
-			d = fdopendir(fd);
-		} else {
-			d = opendir(name);
-		}
-		PDEBUG("Open dir '%s': %s\n", name, d ? "succeeded" : "failed");
-		if (!(d))
-			goto fail;
-	} else { /* dir && !name */
-		PDEBUG("Recieved cache directory\n");
-		d = dir;
+	num_dirs = scandirat(cb_dirfd, ".", &namelist,
+			     dot_or_dot_dot_filter, NULL);
+	if (num_dirs == -1) {
+		PDEBUG("scandirat of directory '%s' failed: %m\n", name);
+		return -1;
 	}
 
-	for (;;) {
-		struct dirent *ent;
+	for (rc = 0, i = 0; i < num_dirs; i++) {
+		/* Must cycle through all dirs so that each one is autofreed */
+		autofree struct dirent *dir = namelist[i];
 		struct stat my_stat;
 
-		error = readdir_r(d, dirent, &ent);
-		if (error) {
-			errno = error; /* readdir_r directly returns an errno */
-			PDEBUG("readdir_r failed: %m\n");
-			goto fail;
-		} else if (!ent) {
-			break;
-		}
-
-		if (strcmp(ent->d_name, ".") == 0 ||
-		    strcmp(ent->d_name, "..") == 0)
+		if (rc)
 			continue;
 
-		if (fstatat(dirfd(d), ent->d_name, &my_stat, 0)) {
-			PDEBUG("stat failed for '%s': %m\n", name);
-			goto fail;
+		if (fstatat(cb_dirfd, dir->d_name, &my_stat, 0)) {
+			PDEBUG("stat failed for '%s': %m\n", dir->d_name);
+			rc = -1;
+			continue;
 		}
 
-		if (cb(d, ent->d_name, &my_stat, data)) {
-			PDEBUG("dir_for_each callback failed\n");
-			goto fail;
+		if (cb(cb_dirfd, dir->d_name, &my_stat, data)) {
+			PDEBUG("dir_for_each callback failed for '%s'\n",
+			       dir->d_name);
+			rc = -1;
+			continue;
 		}
 	}
 
-	if (d != dir)
-		closedir(d);
-
-	return 0;
-
-fail:
-	error = errno;
-	if (d && d != dir)
-		closedir(d);
-	errno = error;
-
-	return -1;
+	return rc;
 }
diff --git a/libraries/libapparmor/src/scanner.l b/libraries/libapparmor/src/scanner.l
index b5b179413..c78f198ce 100644
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -355,6 +355,7 @@ yy_flex_debug = 0;
 {syslog_time}		{ yylval->t_str = strdup(yytext); BEGIN(hostname); return(TOK_TIME); }
 
 {audit}			{ yy_push_state(audit_id, yyscanner); return(TOK_AUDIT); }
+{dmesg_timestamp}	{ yylval->t_str = strdup(yytext); return(TOK_DMESG_STAMP); }
 
 .			{ /* ignore any non-matched input */ BEGIN(unknown_message); yyless(0); }
 
diff --git a/libraries/libapparmor/src/tst_kernel.c b/libraries/libapparmor/src/tst_kernel.c
new file mode 100644
index 000000000..a383774e3
--- /dev/null
+++ b/libraries/libapparmor/src/tst_kernel.c
@@ -0,0 +1,228 @@
+/*
+ *   Copyright (c) 2015
+ *   Canonical, Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "kernel.c"
+
+static int nullcmp_and_strcmp(const void *s1, const void *s2)
+{
+	/* Return 0 if both pointers are NULL & non-zero if only one is NULL */
+	if (!s1 || !s2)
+		return s1 != s2;
+
+	return strcmp(s1, s2);
+}
+
+static int do_test_splitcon(char *con, int size, bool strip_nl, char **mode,
+			    const char *expected_label,
+			    const char *expected_mode, const char *error)
+{
+	char *label;
+	int rc = 0;
+
+	label = splitcon(con, size, strip_nl, mode);
+
+	if (nullcmp_and_strcmp(label, expected_label)) {
+		fprintf(stderr, "FAIL: %s: label \"%s\" != \"%s\"\n",
+			error, label, expected_label);
+		rc = 1;
+	}
+
+	if (mode && nullcmp_and_strcmp(*mode, expected_mode)) {
+		fprintf(stderr, "FAIL: %s: mode \"%s\" != \"%s\"\n",
+			error, *mode, expected_mode);
+		rc = 1;
+	}
+
+	return rc;
+}
+
+static int do_test_aa_splitcon(char *con, char **mode,
+			       const char *expected_label,
+			       const char *expected_mode, const char *error)
+{
+	char *label;
+	int rc = 0;
+
+	label = aa_splitcon(con, mode);
+
+	if (nullcmp_and_strcmp(label, expected_label)) {
+		fprintf(stderr, "FAIL: %s: label \"%s\" != \"%s\"\n",
+			error, label, expected_label);
+		rc = 1;
+	}
+
+	if (mode && nullcmp_and_strcmp(*mode, expected_mode)) {
+		fprintf(stderr, "FAIL: %s: mode \"%s\" != \"%s\"\n",
+			error, *mode, expected_mode);
+		rc = 1;
+	}
+
+	return rc;
+}
+
+#define TEST_SPLITCON(con, size, strip_nl, expected_label,		\
+		      expected_mode, error)				\
+	do {								\
+		char c1[] = con;					\
+		char c2[] = con;					\
+		size_t sz = size < 0 ? strlen(con) : size;		\
+		char *mode;						\
+									\
+		if (do_test_splitcon(c1, sz, strip_nl, &mode,		\
+				expected_label, expected_mode,		\
+				"splitcon: " error)) {			\
+			rc = 1;						\
+		} else if (do_test_splitcon(c2, sz, strip_nl, NULL,	\
+				expected_label, NULL,			\
+				"splitcon: " error " (NULL mode)")) {	\
+			rc = 1;						\
+		}							\
+	} while (0)
+
+#define TEST_AA_SPLITCON(con, expected_label, expected_mode, error)	\
+	do {								\
+		char c1[] = con;					\
+		char c2[] = con;					\
+		char c3[] = con "\n";					\
+		char *mode;						\
+									\
+		if (do_test_aa_splitcon(c1, &mode, expected_label,	\
+				expected_mode, "aa_splitcon: " error)) {\
+			rc = 1;						\
+		} else if (do_test_aa_splitcon(c2, NULL, expected_label,\
+				NULL,					\
+				"aa_splitcon: " error " (NULL mode)")) {\
+			rc = 1;						\
+		} else if (do_test_aa_splitcon(c3, &mode,		\
+				expected_label, expected_mode,		\
+				"aa_splitcon: " error " (newline)")) {	\
+			rc = 1;						\
+		}							\
+	} while (0)
+
+static int test_splitcon(void)
+{
+	int rc = 0;
+
+	/**
+	 * NOTE: the TEST_SPLITCON() macro automatically generates
+	 * corresponding tests with a NULL mode pointer.
+	 */
+
+	TEST_SPLITCON("", 0, true, NULL, NULL, "empty string test #1");
+	TEST_SPLITCON("", 0, false, NULL, NULL, "empty string test #2");
+
+	TEST_SPLITCON("unconfined", -1, true, "unconfined", NULL,
+		      "unconfined #1");
+	TEST_SPLITCON("unconfined", -1, false, "unconfined", NULL,
+		      "unconfined #2");
+	TEST_SPLITCON("unconfined\n", -1, true, "unconfined", NULL,
+		      "unconfined #3");
+	TEST_SPLITCON("unconfined\n", -1, false, NULL, NULL,
+		      "unconfined #4");
+
+	TEST_SPLITCON("label (mode)", -1, true, "label", "mode",
+		      "basic split #1");
+	TEST_SPLITCON("label (mode)", -1, false, "label", "mode",
+		      "basic split #2");
+	TEST_SPLITCON("label (mode)\n", -1, true, "label", "mode",
+		      "basic split #3");
+	TEST_SPLITCON("label (mode)\n", -1, false, NULL, NULL,
+		      "basic split #4");
+
+	TEST_SPLITCON("/a/b/c (enforce)", -1, true, "/a/b/c", "enforce",
+		      "path enforce split #1");
+	TEST_SPLITCON("/a/b/c (enforce)", -1, false, "/a/b/c", "enforce",
+		      "path enforce split #2");
+	TEST_SPLITCON("/a/b/c (enforce)\n", -1, true, "/a/b/c", "enforce",
+		      "path enforce split #3");
+	TEST_SPLITCON("/a/b/c (enforce)\n", -1, false, NULL, NULL,
+		      "path enforce split #4");
+
+	return rc;
+}
+
+
+static int test_aa_splitcon(void)
+{
+	int rc = 0;
+
+	/**
+	 * NOTE: the TEST_AA_SPLITCON() macro automatically generates
+	 * corresponding tests with a NULL mode pointer and contexts with
+	 * trailing newline characters.
+	 */
+
+	TEST_AA_SPLITCON("label (mode)", "label", "mode", "basic split");
+
+	TEST_AA_SPLITCON("/a/b/c (enforce)", "/a/b/c", "enforce",
+			 "path enforce split");
+
+	TEST_AA_SPLITCON("/a/b/c (complain)", "/a/b/c", "complain",
+			 "path complain split");
+
+	TEST_AA_SPLITCON("profile_name (enforce)", "profile_name", "enforce",
+			 "name enforce split");
+
+	TEST_AA_SPLITCON("profile_name (complain)", "profile_name", "complain",
+			 "name complain split");
+
+	TEST_AA_SPLITCON("unconfined", "unconfined", NULL, "unconfined");
+
+	TEST_AA_SPLITCON("(odd) (enforce)", "(odd)", "enforce",
+			 "parenthesized label #1");
+
+	TEST_AA_SPLITCON("(odd) (enforce) (enforce)", "(odd) (enforce)",
+			 "enforce", "parenthesized label #2");
+
+	TEST_AA_SPLITCON("/usr/bin/😺 (enforce)", "/usr/bin/😺", "enforce",
+			 "non-ASCII path");
+
+	TEST_AA_SPLITCON("👍 (enforce)", "👍", "enforce",
+			 "non-ASCII profile name");
+
+	/* Negative tests */
+
+	TEST_AA_SPLITCON("", NULL, NULL, "empty string test");
+
+	TEST_AA_SPLITCON("profile\t(enforce)", NULL, NULL,
+			 "invalid tab separator");
+
+	TEST_AA_SPLITCON("profile(enforce)", NULL, NULL,
+			 "invalid missing separator");
+
+	return rc;
+}
+
+int main(void)
+{
+	int retval, rc = 0;
+
+	retval = test_splitcon();
+	if (retval)
+		rc = retval;
+
+	retval = test_aa_splitcon();
+	if (retval)
+		rc = retval;
+
+	return rc;
+}
diff --git a/libraries/libapparmor/swig/SWIG/libapparmor.i b/libraries/libapparmor/swig/SWIG/libapparmor.i
index 6bae3f6ee..69b4cc21b 100644
--- a/libraries/libapparmor/swig/SWIG/libapparmor.i
+++ b/libraries/libapparmor/swig/SWIG/libapparmor.i
@@ -3,12 +3,30 @@
 %{
 #include <aalogparse.h>
 #include <sys/apparmor.h>
+#include <sys/apparmor_private.h>
 
 %}
 
 %include "typemaps.i"
 %include <aalogparse.h>
 
+/**
+ * swig doesn't like the macro magic we do in apparmor.h and apparmor_private.h
+ * so the function prototypes must be manually inserted.
+ *
+ * Functions that return a negative int and set errno upon error use a special
+ * %exception directive and must be listed after the %exception below. All
+ * other functions go here.
+ */
+
+/* apparmor.h */
+
+extern char *aa_splitcon(char *con, char **mode);
+
+/* apparmor_private.h */
+
+extern int _aa_is_blacklisted(const char *name);
+
 #ifdef SWIGPYTHON
 %exception {
   $action
@@ -19,9 +37,9 @@
 }
 #endif
 
-/* swig doesn't like the macro magic we do in apparmor.h so the fn prototypes
- * are manually inserted here
- */
+/* Functions that return a negative int and set errno upon error go here. */
+
+/* apparmor.h */
 
 extern int aa_is_enabled(void);
 extern int aa_find_mountpoint(char **mnt);
@@ -39,5 +57,16 @@ extern int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode);
 extern int aa_getpeercon(int fd, char **label, char **mode);
 extern int aa_query_label(uint32_t mask, char *query, size_t size, int *allow,
 			  int *audit);
+extern int aa_query_file_path_len(uint32_t mask, const char *label,
+				  size_t label_len, const char *path,
+				  size_t path_len, int *allowed, int *audited);
+extern int aa_query_file_path(uint32_t mask, const char *label,
+			      const char *path, int *allowed, int *audited);
+extern int aa_query_link_path_len(const char *label, size_t label_len,
+				  const char *target, size_t target_len,
+				  const char *link, size_t link_len,
+				  int *allowed, int *audited);
+extern int aa_query_link_path(const char *label, const char *target,
+			      const char *link, int *allowed, int *audited);
 
 %exception;
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.err b/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.in b/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.in
new file mode 100644
index 000000000..9337c8832
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.in
@@ -0,0 +1 @@
+Sep  9 12:51:36 ubuntu-desktop kernel: [   97.492562] audit: type=1400 audit(1431116353.523:77): apparmor="DENIED" operation="change_profile" profile="/tests/regression/apparmor/changeprofile" pid=3459 comm="changeprofile" target="/tests/regression/apparmor/rename"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.out b/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.out
new file mode 100644
index 000000000..74b4f714f
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_changeprofile_01.out
@@ -0,0 +1,11 @@
+START
+File: testcase_changeprofile_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1431116353.523:77
+Operation: change_profile
+Profile: /tests/regression/apparmor/changeprofile
+Command: changeprofile
+Name2: /tests/regression/apparmor/rename
+PID: 3459
+Epoch: 1431116353
+Audit subid: 77
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.in
new file mode 100644
index 000000000..7cd948de8
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.in
@@ -0,0 +1 @@
+[ 1612.746129] audit: type=1400 audit(1284061910.975:672): apparmor="DENIED" operation="capable" parent=2663 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority" pid=7292 comm="syscall_setprio" capability=23  capname="sys_nice"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.out
new file mode 100644
index 000000000..612308c63
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_capability.out
@@ -0,0 +1,12 @@
+START
+File: testcase_dmesg_capability.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1284061910.975:672
+Operation: capable
+Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/syscall_setpriority
+Name: sys_nice
+Command: syscall_setprio
+Parent: 2663
+PID: 7292
+Epoch: 1284061910
+Audit subid: 672
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.in
new file mode 100644
index 000000000..592778855
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.in
@@ -0,0 +1 @@
+[ 1597.774866] audit: type=1400 audit(1284061896.005:28): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=2698 comm="syscall_ptrace"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.out
new file mode 100644
index 000000000..64cd6252d
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changehat_negative_error.out
@@ -0,0 +1,11 @@
+START
+File: testcase_dmesg_changehat_negative_error.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1284061896.005:28
+Operation: change_hat
+Command: syscall_ptrace
+Info: unconfined
+ErrorCode: 1
+PID: 2698
+Epoch: 1284061896
+Audit subid: 28
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.in
new file mode 100644
index 000000000..089d75634
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.in
@@ -0,0 +1 @@
+[   97.492562] audit: type=1400 audit(1431116353.523:77): apparmor="DENIED" operation="change_profile" profile="/tests/regression/apparmor/changeprofile" pid=3459 comm="changeprofile" target="/tests/regression/apparmor/rename"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.out
new file mode 100644
index 000000000..32ebb3c57
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_changeprofile_01.out
@@ -0,0 +1,11 @@
+START
+File: testcase_dmesg_changeprofile_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1431116353.523:77
+Operation: change_profile
+Profile: /tests/regression/apparmor/changeprofile
+Command: changeprofile
+Name2: /tests/regression/apparmor/rename
+PID: 3459
+Epoch: 1431116353
+Audit subid: 77
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.in
new file mode 100644
index 000000000..fba0c31fb
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.in
@@ -0,0 +1 @@
+[ 2010.738449] audit: type=1400 audit(1284062308.965:276251): apparmor="DENIED" operation="link" parent=19088 profile="/home/ubuntu/bzr/apparmor/tests/regression/apparmor/link" name="/tmp/sdtest.19088-12382-HWH57d/linkfile" pid=19142 comm="link" requested_mask="l" denied_mask="l" fsuid=0 ouid=0 target="/tmp/sdtest.19088-12382-HWH57d/target"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.out
new file mode 100644
index 000000000..c1b335bc4
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_link_01.out
@@ -0,0 +1,17 @@
+START
+File: testcase_dmesg_link_01.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1284062308.965:276251
+Operation: link
+Mask: l
+Denied Mask: l
+fsuid: 0
+ouid: 0
+Profile: /home/ubuntu/bzr/apparmor/tests/regression/apparmor/link
+Name: /tmp/sdtest.19088-12382-HWH57d/linkfile
+Command: link
+Name2: /tmp/sdtest.19088-12382-HWH57d/target
+Parent: 19088
+PID: 19142
+Epoch: 1284062308
+Audit subid: 276251
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.in
new file mode 100644
index 000000000..aa0bf19ec
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.in
@@ -0,0 +1 @@
+[45334.755142] audit: type=1503 audit(1282671283.411:2199):  operation="mkdir" pid=4786 parent=4708 profile="/usr/sbin/sshd//ubuntu" requested_mask="c::" denied_mask="c::" fsuid=1000 ouid=1000 name="/tmp/ssh-gRozJw4786/"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.out
new file mode 100644
index 000000000..4e362d8a2
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_mkdir.out
@@ -0,0 +1,15 @@
+START
+File: testcase_dmesg_mkdir.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1282671283.411:2199
+Operation: mkdir
+Mask: c::
+Denied Mask: c::
+fsuid: 1000
+ouid: 1000
+Profile: /usr/sbin/sshd//ubuntu
+Name: /tmp/ssh-gRozJw4786/
+Parent: 4708
+PID: 4786
+Epoch: 1282671283
+Audit subid: 2199
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.in
new file mode 100644
index 000000000..2c5d6c858
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.in
@@ -0,0 +1 @@
+[  878.663418] audit: type=1502 audit(1282626827.320:413): operation="rename_dest" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="wc::" denied_mask="wc::" fsuid=0 ouid=0 name="/var/run/motd"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.out
new file mode 100644
index 000000000..90364234c
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_dest.out
@@ -0,0 +1,15 @@
+START
+File: testcase_dmesg_rename_dest.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1282626827.320:413
+Operation: rename_dest
+Mask: wc::
+Denied Mask: wc::
+fsuid: 0
+ouid: 0
+Profile: /usr/sbin/sshd
+Name: /var/run/motd
+Parent: 650
+PID: 1881
+Epoch: 1282626827
+Audit subid: 413
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.in
new file mode 100644
index 000000000..135531b48
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.in
@@ -0,0 +1 @@
+[  878.663410] audit: type=1502 audit(1282626827.320:412): operation="rename_src" pid=1881 parent=650 profile="/usr/sbin/sshd" requested_mask="r::" denied_mask="r::" fsuid=0 ouid=0 name="/var/run/motd.new"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.out
new file mode 100644
index 000000000..6c89300fb
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_rename_src.out
@@ -0,0 +1,15 @@
+START
+File: testcase_dmesg_rename_src.in
+Event type: AA_RECORD_ALLOWED
+Audit ID: 1282626827.320:412
+Operation: rename_src
+Mask: r::
+Denied Mask: r::
+fsuid: 0
+ouid: 0
+Profile: /usr/sbin/sshd
+Name: /var/run/motd.new
+Parent: 650
+PID: 1881
+Epoch: 1282626827
+Audit subid: 412
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.in
new file mode 100644
index 000000000..5b4dd12ab
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.in
@@ -0,0 +1 @@
+[ 2143.902340] audit: type=1400 audit(1283989336.064:272335): apparmor="STATUS" info="failed to unpack profile" error=-71 pid=4958 comm="apparmor_parser" name="/home/jj/master/tests/regression/apparmor/net_raw" offset=159
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.out
new file mode 100644
index 000000000..b12d58cac
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_status_offset.out
@@ -0,0 +1,11 @@
+START
+File: testcase_dmesg_status_offset.in
+Event type: AA_RECORD_STATUS
+Audit ID: 1283989336.064:272335
+Name: /home/jj/master/tests/regression/apparmor/net_raw
+Command: apparmor_parser
+Info: failed to unpack profile
+ErrorCode: 71
+PID: 4958
+Epoch: 1283989336
+Audit subid: 272335
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.err b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.in b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.in
new file mode 100644
index 000000000..86b2770e7
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.in
@@ -0,0 +1 @@
+[  878.662172] audit: type=1503 audit(1282626827.320:411): operation="truncate" pid=1957 parent=1 profile="/etc/update-motd.d/91-release-upgrade" requested_mask="w::" denied_mask="w::" fsuid=0 ouid=0 name="/var/lib/update-notifier/release-upgrade-available"
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.out b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.out
new file mode 100644
index 000000000..fbc1bb42f
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase_dmesg_truncate.out
@@ -0,0 +1,15 @@
+START
+File: testcase_dmesg_truncate.in
+Event type: AA_RECORD_DENIED
+Audit ID: 1282626827.320:411
+Operation: truncate
+Mask: w::
+Denied Mask: w::
+fsuid: 0
+ouid: 0
+Profile: /etc/update-motd.d/91-release-upgrade
+Name: /var/lib/update-notifier/release-upgrade-available
+Parent: 1
+PID: 1957
+Epoch: 1282626827
+Audit subid: 411
diff --git a/parser/Makefile b/parser/Makefile
index 40af43585..1f0db8d48 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -50,7 +50,7 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
 endif
 endif #CFLAGS
 
-EXTRA_CXXFLAGS = ${CFLAGS} ${CXX_WARNINGS} -std=gnu++0x -D_GNU_SOURCE
+EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x -D_GNU_SOURCE
 EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
 
 #LEXLIB	:= -lfl
@@ -213,7 +213,7 @@ parser_include.o: parser_include.c parser.h parser_include.h
 parser_merge.o: parser_merge.c parser.h profile.h
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
-parser_regex.o: parser_regex.c parser.h profile.h libapparmor_re/apparmor_re.h $(APPARMOR_H)
+parser_regex.o: parser_regex.c parser.h profile.h libapparmor_re/apparmor_re.h libapparmor_re/aare_rules.h $(APPARMOR_H)
 	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_symtab.o: parser_symtab.c parser.h
diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
index 11b93e58d..93ea835ea 100644
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@@ -44,19 +44,51 @@ to the policy; this behaviour is modelled after cpp(1).
 
 =over 4
 
+B<PROFILE FILE> = ( [ I<PREAMBLE> ] [ I<PROFILE> ] )*
+
+B<PREAMBLE> = ( I<COMMENT> | I<VARIABLE ASSIGNMENT> | I<INCLUDE> )* (variable assignment must come before the profile)
+
 B<INCLUDE> = '#include' ( I<ABS PATH> | I<MAGIC PATH> )
 
 B<ABS PATH> = '"' path '"' (the path is passed to open(2))
 
 B<MAGIC PATH> = 'E<lt>' relative path 'E<gt>' (the path is relative to F</etc/apparmor.d/>)
 
-B<COMMENT> = '#' I<TEXT>
+B<COMMENT> = '#' I<TEXT> [ '\r' ] '\n'
 
 B<TEXT> = any characters
 
-B<PROFILE> = [ I<COMMENT> ... ] [ I<VARIABLE ASSIGNMENT> ... ] ( '"' I<PROGRAM> '"' | I<PROGRAM> ) [ 'flags=(complain)' ]'{' [ ( I<RESOURCE RULE> | I<COMMENT> | I<INCLUDE> | I<SUBPROFILE> | I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<DBUS RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE>) ... ] '}'
+B<PROFILE> = ( I<PROFILE HEAD> ) [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
 
-B<SUBPROFILE> = [ I<COMMENT> ... ] ( I<PROGRAMHAT> | 'profile ' I<PROGRAMCHILD> ) '{' [ ( I<FILE RULE> | I<COMMENT> | I<INCLUDE> ) ... ] '}'
+B<PROFILE HEAD> = [ 'profile' ] I<FILEGLOB> | 'profile' I<PROFILE NAME>
+
+B<PROFILE NAME> ( I<UNQUOTED PROFILE NAME> | I<QUOTED PROFILE NAME> )
+
+B<QUOTED PROFILE NAME> = '"' I<UNQUOTED PROFILE NAME> '"'
+
+B<UNQUOTED PROFILE NAME> = (must start with alphanumeric character (after variable expansion), or '/' B<AARE> have special meanings; see below. May include I<VARIABLE>. Rules with embedded spaces or tabs must be quoted.)
+
+B<ATTACHMENT SPECIFICATION> = I<FILEGLOB>
+
+B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of I<PROFILE FLAGS> ')'
+
+B<PROFILE FLAGS> = 'complain' | 'audit' | 'enforce' | 'mediate_deleted' | 'attach_disconnected' | 'chroot_relative'
+
+B<RULES> = [ ( I<LINE RULES> | I<COMMA RULES> ',' | I<BLOCK RULES> )
+
+B<LINE RULES> = ( I<COMMENT> | I<INCLUDE> ) [ '\r' ] '\n'
+
+B<COMMA RULES> = ( I<CAPABILITY RULE> | I<NETWORK RULE> | I<MOUNT RULE> | I<PIVOT ROOT RULE> | I<UNIX RULE> | I<FILE RULE> | I<LINK RULE> | I<CHANGE_PROFILE RULE> | I<RLIMIT RULE> | I<ALIAS RULE> | I<DBUS RULE> )
+
+B<BLOCK RULES> = ( I<SUBPROFILE> | I<HAT> | I<QUALIFIER BLOCK> )
+
+B<SUBPROFILE> = 'profile' I<PROFILE NAME> [ I<ATTACHMENT SPECIFICATION> ] [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
+
+B<HAT> = ('hat' | '^') I<HATNAME> [ I<PROFILE FLAG CONDS> ] '{' ( I<RULES> )* '}'
+
+B<HATNAME> = ( must start with alphanumeric character. see aa_change_hat(2) for a description of how this "hat" is used. IF '^' is used to start a hat then there is no space between the '^' and I<HATNAME>)
+
+B<QUALIFIER BLOCK> = I<QUALIFIERS> I<BLOCK>
 
 B<ACCESS TYPE> = ( 'allow' | 'deny' )
 
@@ -69,7 +101,7 @@ B<CAPABILITY LIST> = ( I<CAPABILITY> )+
 B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
 capabilities(7))
 
-B<NETWORK RULE> = [ I<QUALIFIERS> 'network' [ [ I<DOMAIN> [ I<TYPE> | I<PROTOCOL> ] ] | [ I<PROTOCOL> ] ] ','
+B<NETWORK RULE> = [ I<QUALIFIERS> ] 'network' [ I<DOMAIN> ] [ I<TYPE> | I<PROTOCOL> ]
 
 B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' ) ','
 
@@ -77,15 +109,9 @@ B<TYPE> = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' | 'packet' )
 
 B<PROTOCOL> = ( 'tcp' | 'udp' | 'icmp' )
 
-B<PROGRAM> = (non-whitespace characters except for '^', must start with '/'. Embedded spaces or tabs must be quoted.)
-
-B<PROGRAMHAT> = '^'  (non-whitespace characters; see aa_change_hat(2) for a description of how this "hat" is used.)
-
-B<PROGRAMCHILD> = I<SUBPROFILE> name
-
 B<MOUNT RULE> = ( I<MOUNT> | I<REMOUNT> | I<UMOUNT> )
 
-B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ -E<gt> [ I<MOUNTPOINT FILEGLOB> ]
+B<MOUNT> = [ I<QUALIFIERS> ] 'mount' [ I<MOUNT CONDITIONS> ] [ I<SOURCE FILEGLOB> ] [ '-E<gt>' [ I<MOUNTPOINT FILEGLOB> ]
 
 B<REMOUNT> = [ I<QUALIFIERS> ] 'remount' [ I<MOUNT CONDITIONS> ] I<MOUNTPOINT FILEGLOB>
 
@@ -105,7 +131,7 @@ B<MOUNT FLAGS> = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec'
 
 B<MOUNT EXPRESSION> = ( I<ALPHANUMERIC> | I<AARE> ) ...
 
-B<PIVOT ROOT RULE> = [ I<QUALIFIERS> ] pivot_root [ oldroot=I<OLD PUT FILEGLOB> ] [ I<NEW ROOT FILEGLOB> ] [ -E<gt> I<PROGRAMCHILD> ]
+B<PIVOT ROOT RULE> = [ I<QUALIFIERS> ] pivot_root [ oldroot=I<OLD PUT FILEGLOB> ] [ I<NEW ROOT FILEGLOB> ] [ '-E<gt>' I<PROFILE NAME> ]
 
 B<SOURCE FILEGLOB> = I<FILEGLOB>
 
@@ -201,11 +227,11 @@ B<UNIX ATTR COND> 'attr' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
 
 B<UNIX OPT COND> 'opt' '=' ( I<AARE> | '(' '"' I<AARE> '"' | I<AARE> ')' )
 
-B<RLIMIT RULE> = 'set' 'rlimit' [I<RLIMIT> 'E<lt>=' I<RLIMIT VALUE> ] ','
+B<RLIMIT RULE> = 'set' 'rlimit' [I<RLIMIT> 'E<lt>=' I<RLIMIT VALUE> ]
 
 B<RLIMIT> = ( 'cpu' | 'fsize' | 'data' | 'stack' | 'core' | 'rss' | 'nofile' | 'ofile' | 'as' | 'nproc' | 'memlock' | 'locks' | 'sigpending' | 'msgqueue' | 'nice' | 'rtprio' | 'rttime' )
 
-B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I <RLIMIT NICE> )
+B<RLIMIT VALUE> = ( I<RLIMIT SIZE> | I<RLIMIT NUMBER> | I<RLIMIT NICE> )
 
 B<RLIMIT SIZE> = I<NUMBER> ( 'K' | 'M' | 'G' ) Only applies to RLIMIT of 'fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue'.
 
@@ -213,7 +239,7 @@ B<RLIMIT NUMBER> = number from 0 to max rlimit value. Only applies ot RLIMIT of
 
 B<RLIMIT NICE> = a number between -20 and 19. Only applies to RLIMIT of 'nice'
 
-B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS>  | I<ACCESS> I<FILEGLOB> ) [ -E<gt> <EXEC TARGET> ] ) ','
+B<FILE RULE> = [ I<QUALIFIERS> ] [ 'owner' ] ( 'file' | [ 'file' ] ( I<FILEGLOB> I<ACCESS>  | I<ACCESS> I<FILEGLOB> ) [ '-E<gt>' I<EXEC TARGET> ] )
 
 B<FILEGLOB> = ( I<QUOTED FILEGLOB> | I<UNQUOTED FILEGLOB> )
 
@@ -227,19 +253,19 @@ B<EXEC TRANSITION> =  ( 'ix' | 'ux' | 'Ux' | 'px' | 'Px' | 'cx' | 'Cx' | 'pix' |
 
 B<EXEC TARGET> = name  (requires I<EXEC TRANSITION> specified)
 
-B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] <FILEGLOB> ( 'to' | '-E<gt>' ) <FILEGLOB> ','
+B<LINK RULE> = I<QUALIFIERS> [ 'owner' ] 'link' [ 'subset' ] I<FILEGLOB> ( 'to' | '-E<gt>' ) I<FILEGLOB>
 
 B<VARIABLE> = '@{' I<ALPHA> [ ( I<ALPHANUMERIC> | '_' ) ... ] '}'
 
 B<VARIABLE ASSIGNMENT> = I<VARIABLE> ('=' | '+=') (space separated values)
 
-B<ALIAS RULE> = I<ABS PATH> '-E<gt>' I<REWRITTEN ABS PATH> ','
+B<ALIAS RULE> = I<ABS PATH> '-E<gt>' I<REWRITTEN ABS PATH>
 
 B<ALPHA> = ('a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
 
 B<ALPHANUMERIC> = ('0', '1', '2', ... '9', 'a', 'b', 'c', ... 'z', 'A', 'B', ... 'Z')
 
-B<CHANGE_PROFILE RULE> = 'change_profile' [ I<EXEC COND> ] [ -E<gt> I<PROGRAMCHILD> ]
+B<CHANGE_PROFILE RULE> = 'change_profile' [ I<EXEC COND> ] [ '-E<gt>' I<PROFILE NAME> ]
 
 B<EXEC COND> = I<FILEGLOB>
 
@@ -334,7 +360,7 @@ modes:
 
 - transition to subprofile on execute with fallback to unconfined
 
-=item B<Cux>
+=item B<CUx>
 
 - transition to subprofile on execute with fallback to unconfined -- scrub the environment
 
@@ -506,7 +532,7 @@ determine the profile to transition to from the executable name. It
 is however possible to specify the name of the profile that the transition
 should use.
 
-The name of the profile to transition to is specified using the '->'
+The name of the profile to transition to is specified using the '-E<gt>'
 followed by the name of the profile to transition to. Eg.
 
   /bin/** px -> profile,
@@ -546,8 +572,9 @@ or trailing the file glob. Eg.
 
   /** rw,		# trailing permissions
 
-When a leading permissions is used further rule options and context
+When leading permissions are used further rule options and context
 may be allowed, Eg.
+
   l /foo -> /bar,	# lead 'l' link permission is equivalent to link rules
 
 =back
@@ -567,25 +594,27 @@ Eg.
   /link*  rw,
   link subset /link* -> /**,
 
-  The link rule allows linking of /link to both /file1 or /file2 by
-  name however because the /link file has 'rw' permissions it is not
-  allowed to link to /file1 because that would grant an access path
-  to /file1 with more permissions than the 'r' permissions the profile
-  specifies.
+The link rule allows linking of /link to both /file1 or /file2 by
+name however because the /link file has 'rw' permissions it is not
+allowed to link to /file1 because that would grant an access path
+to /file1 with more permissions than the 'r' permissions the profile
+specifies.
 
-  A link of /link to /file2 would be allowed because the 'rw' permissions
-  of /link are a subset of the 'rwk' permissions for /file1.
+A link of /link to /file2 would be allowed because the 'rw' permissions
+of /link are a subset of the 'rwk' permissions for /file1.
 
 The link rule is equivalent to specifying the 'l' link permission as
 a leading permission with no other file access permissions. When this
 is done the link rule options can be specified.
 
 The following link rule is equivalent to the 'l' permission file rule
+
   link /foo -> bar,
   l /foo -> /bar,
 
 File rules that specify the 'l' permission and don't specify the extend
 link permissions map to link rules as follows.
+
   /foo l,
   l /foo,
   link subset /foo -> /**,
@@ -1301,6 +1330,12 @@ Rule qualifiers can modify the rule and/or permissions within the rule.
 
 =over 4
 
+=item B<allow>
+
+Specifies that permissions requests that match the rule are allowed. This
+is the default value for rules and does not need to be specified. Conflicts
+with the I<deny> qualifier.
+
 =item B<audit>
 
 Specifies that permissions requests that match the rule should be recorded
@@ -1309,7 +1344,8 @@ to the audit log.
 =item B<deny>
 
 Specifies that permissions requests that match the rule should be denied
-without logging. Can be combined with 'audit' to enable logging.
+without logging. Can be combined with 'audit' to enable logging. Conflicts
+with the I<allow> qualifier.
 
 =item B<owner>
 
@@ -1318,6 +1354,16 @@ referenced by the permission check.
 
 =back
 
+=head3 Qualifier Blocks
+
+Rule Qualifiers can be applied to multiple rules at a time by grouping the
+rules into a rule block.
+
+  audit {
+     /foo r,
+     network,
+  }
+
 =head2 #include mechanism
 
 AppArmor provides an easy abstraction mechanism to group common file
diff --git a/parser/apparmor_parser.pod b/parser/apparmor_parser.pod
index 428b0581e..bab5979ae 100644
--- a/parser/apparmor_parser.pod
+++ b/parser/apparmor_parser.pod
@@ -183,6 +183,12 @@ defined as an absolute paths.
 Set the location of the apparmor security filesystem (default is
 "/sys/kernel/security/apparmor").
 
+=item -M n, --features-file n
+
+Use the features file located at path "n" (default is
+/etc/apparmor.d/cache/.features). If the --cache-loc option is present, the
+".features" file in the specified cache directory is used.
+
 =item -m n, --match-string n
 
 Only use match features "n".
diff --git a/parser/immunix.h b/parser/immunix.h
index 1762a1c68..e033eede0 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -29,9 +29,9 @@
 #define AA_MAY_WRITE			(1 << 1)
 #define AA_MAY_READ			(1 << 2)
 #define AA_MAY_APPEND			(1 << 3)
-#define AA_MAY_LINK			(1 << 4)
-#define AA_MAY_LOCK			(1 << 5)
-#define AA_EXEC_MMAP			(1 << 6)
+#define AA_OLD_MAY_LINK			(1 << 4)
+#define AA_OLD_MAY_LOCK			(1 << 5)
+#define AA_OLD_EXEC_MMAP		(1 << 6)
 #define AA_EXEC_PUX			(1 << 7)
 #define AA_EXEC_UNSAFE			(1 << 8)
 #define AA_EXEC_INHERIT			(1 << 9)
@@ -42,8 +42,8 @@
 
 #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
 					 AA_MAY_READ | AA_MAY_APPEND | \
-					 AA_MAY_LINK | AA_MAY_LOCK | \
-					 AA_EXEC_PUX | AA_EXEC_MMAP | \
+					 AA_OLD_MAY_LINK | AA_OLD_MAY_LOCK | \
+					 AA_EXEC_PUX | AA_OLD_EXEC_MMAP | \
 					 AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
 					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
 					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
@@ -95,8 +95,8 @@
 #define ALL_USER_EXEC			(AA_USER_EXEC | AA_USER_EXEC_TYPE)
 #define ALL_OTHER_EXEC			(AA_OTHER_EXEC | AA_OTHER_EXEC_TYPE)
 
-#define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
-					 (AA_MAY_LINK << AA_OTHER_SHIFT))
+#define AA_LINK_BITS			((AA_OLD_MAY_LINK << AA_USER_SHIFT) | \
+					 (AA_OLD_MAY_LINK << AA_OTHER_SHIFT))
 
 #define SHIFT_MODE(MODE, SHIFT)		((((MODE) & AA_BASE_PERMS) << (SHIFT))\
 					 | ((MODE) & ~AA_FILE_PERMS))
@@ -104,7 +104,7 @@
 					 | ((MODE) & ~AA_FILE_PERMS))
 
 
-#define AA_LINK_SUBSET_TEST		(AA_MAY_LINK << 1)
+#define AA_LINK_SUBSET_TEST		(AA_OLD_MAY_LINK << 1)
 #define LINK_SUBSET_BITS	((AA_LINK_SUBSET_TEST << AA_USER_SHIFT) | \
 				 (AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT))
 #define LINK_TO_LINK_SUBSET(X)		(((X) << 1) & AA_LINK_SUBSET_TEST)
@@ -137,9 +137,9 @@ enum pattern_t {
 #define HAS_MAY_WRITE(mode)		((mode) & AA_MAY_WRITE)
 #define HAS_MAY_APPEND(mode)		((mode) & AA_MAY_APPEND)
 #define HAS_MAY_EXEC(mode)		((mode) & AA_MAY_EXEC)
-#define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
-#define HAS_MAY_LOCK(mode)		((mode) & AA_MAY_LOCK)
-#define HAS_EXEC_MMAP(mode) 		((mode) & AA_EXEC_MMAP)
+#define HAS_MAY_LINK(mode)		((mode) & AA_OLD_MAY_LINK)
+#define HAS_MAY_LOCK(mode)		((mode) & AA_OLD_MAY_LOCK)
+#define HAS_EXEC_MMAP(mode) 		((mode) & AA_OLD_EXEC_MMAP)
 
 #define HAS_EXEC_UNSAFE(mode) 		((mode) & AA_EXEC_UNSAFE)
 #define HAS_CHANGE_PROFILE(mode)	((mode) & AA_CHANGE_PROFILE)
@@ -161,3 +161,6 @@ static inline int is_merged_x_consistent(int a, int b)
 }
 
 #endif				/* ! _IMMUNIX_H */
+
+/*  LocalWords:  MMAP
+ */
diff --git a/parser/lib.c b/parser/lib.c
index 6aae67004..11c221075 100644
--- a/parser/lib.c
+++ b/parser/lib.c
@@ -16,7 +16,6 @@
  *   Ltd.
  */
 
-#include <dirent.h>
 #include <string.h>
 
 #include <sys/stat.h>
@@ -29,10 +28,10 @@
 #include "lib.h"
 #include "parser.h"
 
-int dirat_for_each(DIR *dir, const char *name, void *data,
-		   int (* cb)(DIR *, const char *, struct stat *, void *))
+int dirat_for_each(int dirfd, const char *name, void *data,
+		   int (* cb)(int, const char *, struct stat *, void *))
 {
-	int retval = _aa_dirat_for_each(dir, name, data, cb);
+	int retval = _aa_dirat_for_each(dirfd, name, data, cb);
 
 	if (retval)
 		PDEBUG("dirat_for_each failed: %m\n");
diff --git a/parser/lib.h b/parser/lib.h
index a980a5a84..e9a856771 100644
--- a/parser/lib.h
+++ b/parser/lib.h
@@ -9,8 +9,8 @@
 
 #define asprintf _aa_asprintf
 
-int dirat_for_each(DIR *dir, const char *name, void *data,
-		   int (* cb)(DIR *, const char *, struct stat *, void *));
+int dirat_for_each(int dirfd, const char *name, void *data,
+		   int (* cb)(int, const char *, struct stat *, void *));
 
 int isodigit(char c);
 long strntol(const char *str, const char **endptr, int base, long maxval,
diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index d13c71906..02aa80fa0 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -35,13 +35,13 @@
 #include "../immunix.h"
 
 
-
 aare_rules::~aare_rules(void)
 {
 	if (root)
 		root->release();
 
-	aare_reset_matchflags();
+	unique_perms.clear();
+	expr_map.clear();
 }
 
 bool aare_rules::add_rule(const char *rule, int deny, uint32_t perms,
@@ -50,40 +50,15 @@ bool aare_rules::add_rule(const char *rule, int deny, uint32_t perms,
 	return add_rule_vec(deny, perms, audit, 1, &rule, flags);
 }
 
-#define FLAGS_WIDTH 2
-#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
-MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2)	/* double for each of ix pux, unsafe x bits * u::o */
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux * u::o */
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux *u::o */
-
-void aare_reset_matchflags(void)
-{
-	uint32_t i, j;
-#define RESET_FLAGS(group, size) { \
-	for (i = 0; i < FLAGS_WIDTH; i++) { \
-		for (j = 0; j < size; j++) { \
-		    if ((group)[i][j]) delete (group)[i][j];	\
-			(group)[i][j] = NULL; \
-		} \
-	} \
-}
-	RESET_FLAGS(match_flags, MATCH_FLAGS_SIZE);
-	RESET_FLAGS(deny_flags, MATCH_FLAGS_SIZE);
-	RESET_FLAGS(exec_match_flags, EXEC_MATCH_FLAGS_SIZE);
-	RESET_FLAGS(exact_match_flags, EXEC_MATCH_FLAGS_SIZE);
-#undef RESET_FLAGS
-}
-
 void aare_rules::add_to_rules(Node *tree, Node *perms)
 {
 	if (reverse)
 		flip_tree(tree);
-	if (root)
-		root = new AltNode(root, new CatNode(tree, perms));
+	Node *base = expr_map[perms];
+	if (base)
+		expr_map[perms] = new AltNode(base, tree);
 	else
-		root = new CatNode(tree, perms);
+		expr_map[perms] = tree;
 }
 
 static Node *cat_with_null_seperator(Node *l, Node *r)
@@ -91,84 +66,6 @@ static Node *cat_with_null_seperator(Node *l, Node *r)
 	return new CatNode(new CatNode(l, new CharNode(0)), r);
 }
 
-static Node *convert_file_perms(int deny, uint32_t perms, uint32_t audit,
-				bool exact_match)
-{
-	Node *accept;
-
-	assert(perms != 0);
-
-/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
-
-
-	/* the permissions set is assumed to be non-empty if any audit
-	 * bits are specified */
-	accept = NULL;
-	for (unsigned int n = 0; perms && n < (sizeof(perms) * 8); n++) {
-		uint32_t mask = 1 << n;
-
-		if (!(perms & mask))
-			continue;
-
-		int ai = audit & mask ? 1 : 0;
-		perms &= ~mask;
-
-		Node *flag;
-		if (mask & ALL_AA_EXEC_TYPE)
-			/* these cases are covered by EXEC_BITS */
-			continue;
-		if (deny) {
-			if (deny_flags[ai][n]) {
-				flag = deny_flags[ai][n];
-			} else {
-//fprintf(stderr, "Adding deny ai %d mask 0x%x audit 0x%x\n", ai, mask, audit & mask);
-				deny_flags[ai][n] = new DenyMatchFlag(mask, audit & mask);
-				flag = deny_flags[ai][n];
-			}
-		} else if (mask & AA_EXEC_BITS) {
-			uint32_t eperm = 0;
-			uint32_t index = 0;
-			if (mask & AA_USER_EXEC) {
-				eperm = mask | (perms & AA_USER_EXEC_TYPE);
-				index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
-			} else {
-				eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
-				index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 2);
-			}
-//fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
-			if (exact_match) {
-				if (exact_match_flags[ai][index]) {
-					flag = exact_match_flags[ai][index];
-				} else {
-					exact_match_flags[ai][index] = new ExactMatchFlag(eperm, audit & mask);
-					flag = exact_match_flags[ai][index];
-				}
-			} else {
-				if (exec_match_flags[ai][index]) {
-					flag = exec_match_flags[ai][index];
-				} else {
-					exec_match_flags[ai][index] = new MatchFlag(eperm, audit & mask);
-					flag = exec_match_flags[ai][index];
-				}
-			}
-		} else {
-			if (match_flags[ai][n]) {
-				flag = match_flags[ai][n];
-			} else {
-				match_flags[ai][n] = new MatchFlag(mask, audit & mask);
-				flag = match_flags[ai][n];
-			}
-		}
-		if (accept)
-			accept = new AltNode(accept, flag);
-		else
-			accept = flag;
-	} /* for ... */
-
-	return accept;
-}
-
 bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
 			      int count, const char **rulev, dfaflags_t flags)
 {
@@ -202,7 +99,7 @@ bool aare_rules::add_rule_vec(int deny, uint32_t perms, uint32_t audit,
 	if (reverse)
 		flip_tree(tree);
 
-	accept = convert_file_perms(deny, perms, audit, exact_match);
+	accept = unique_perms.insert(deny, perms, audit, exact_match);
 
 	if (flags & DFA_DUMP_RULE_EXPR) {
 		cerr << "rule: ";
@@ -235,6 +132,30 @@ void *aare_rules::create_dfa(size_t *size, dfaflags_t flags)
 {
 	char *buffer = NULL;
 
+	/* finish constructing the expr tree from the different permission
+	 * set nodes */
+	PermExprMap::iterator i = expr_map.begin();
+	if (i != expr_map.end()) {
+		if (flags & DFA_CONTROL_TREE_SIMPLE) {
+			Node *tmp = simplify_tree(i->second, flags);
+			root = new CatNode(tmp, i->first);
+		} else
+			root = new CatNode(i->second, i->first);
+		for (i++; i != expr_map.end(); i++) {
+			Node *tmp;
+			if (flags & DFA_CONTROL_TREE_SIMPLE) {
+				tmp = simplify_tree(i->second, flags);
+			} else
+				tmp = i->second;
+			root = new AltNode(root, new CatNode(tmp, i->first));
+		}
+	}
+
+	/* dumping of the none simplified tree without -O no-expr-simplify
+	 * is broken because we need to build the tree above first, and
+	 * simplification is woven into the build. Reevaluate how to fix
+	 * this debug dump.
+	 */
 	label_nodes(root);
 	if (flags & DFA_DUMP_TREE) {
 		cerr << "\nDFA: Expression Tree\n";
@@ -243,7 +164,13 @@ void *aare_rules::create_dfa(size_t *size, dfaflags_t flags)
 	}
 
 	if (flags & DFA_CONTROL_TREE_SIMPLE) {
-		root = simplify_tree(root, flags);
+		/* This is old total tree, simplification point
+		 * For now just do simplification up front. It gets most
+		 * of the benefit running on the smaller chains, and is
+		 * overall faster because there are less nodes. Reevaluate
+		 * once tree simplification is rewritten
+		 */
+		//root = simplify_tree(root, flags);
 
 		if (flags & DFA_DUMP_SIMPLE_TREE) {
 			cerr << "\nDFA: Simplified Expression Tree\n";
diff --git a/parser/libapparmor_re/aare_rules.h b/parser/libapparmor_re/aare_rules.h
index ba3266292..87b79f590 100644
--- a/parser/libapparmor_re/aare_rules.h
+++ b/parser/libapparmor_re/aare_rules.h
@@ -26,14 +26,78 @@
 #include "apparmor_re.h"
 #include "expr-tree.h"
 
+class UniquePerm {
+public:
+	bool deny;
+	bool exact_match;
+	uint32_t perms;
+	uint32_t audit;
+
+	bool operator<(UniquePerm const &rhs)const
+	{
+		if (deny == rhs.deny) {
+			if (exact_match == rhs.exact_match) {
+				if (perms == rhs.perms)
+					return audit < rhs.audit;
+				return perms < rhs.perms;
+			}
+			return exact_match;
+		}
+		return deny;
+	}
+};
+
+class UniquePermsCache {
+public:
+	typedef map<UniquePerm, Node*> UniquePermMap;
+	typedef UniquePermMap::iterator iterator;
+	UniquePermMap nodes;
+
+	UniquePermsCache(void) { };
+	~UniquePermsCache() { clear(); }
+
+	void clear()
+	{
+		for (iterator i = nodes.begin(); i != nodes.end(); i++) {
+			delete i->second;
+		}
+		nodes.clear();
+	}
+
+	Node *insert(bool deny, uint32_t perms, uint32_t audit,
+		     bool exact_match)
+	{
+		UniquePerm tmp = { deny, exact_match, perms, audit };
+		iterator res = nodes.find(tmp);
+		if (res == nodes.end()) {
+			Node *node;
+			if (deny)
+				node = new DenyMatchFlag(perms, audit);
+			else if (exact_match)
+				node = new ExactMatchFlag(perms, audit);
+			else
+				node = new MatchFlag(perms, audit);
+			pair<iterator, bool> val = nodes.insert(make_pair(tmp, node));
+			if (val.second == false)
+				return val.first->second;
+			return node;
+		}
+		return res->second;
+	}
+};
+
+typedef std::map<Node *, Node *> PermExprMap;
+
 class aare_rules {
 	Node *root;
 	void add_to_rules(Node *tree, Node *perms);
-public:
+	UniquePermsCache unique_perms;
+	PermExprMap expr_map;
+ public:
 	int reverse;
 	int rule_count;
-	aare_rules(): root(NULL), reverse(0), rule_count(0) { };
-	aare_rules(int reverse): root(NULL), reverse(reverse), rule_count(0) { };
+	aare_rules(void): root(NULL), unique_perms(), expr_map(), reverse(0), rule_count(0) { };
+	aare_rules(int reverse): root(NULL), unique_perms(), expr_map(), reverse(reverse), rule_count(0) { };
 	~aare_rules();
 
 	bool add_rule(const char *rule, int deny, uint32_t perms,
@@ -43,6 +107,4 @@ public:
 	void *create_dfa(size_t *size, dfaflags_t flags);
 };
 
-void aare_reset_matchflags(void);
-
 #endif				/* __LIBAA_RE_RULES_H */
diff --git a/parser/parser.h b/parser/parser.h
index f4566b949..dfd195d87 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -100,7 +100,10 @@ struct cond_entry_list {
 struct cod_entry {
 	char *ns;
 	char *name;
-	char *link_name;
+	union {
+		char *link_name;
+		char *onexec;
+	};
 	char *nt_name;
 	Profile *prof;		 	/* Special profile defined
 					 * just for this executable */
@@ -333,7 +336,6 @@ extern int abort_on_error;
 extern int skip_bad_cache_rebuild;
 extern int mru_skip_cache;
 extern int debug_cache;
-extern struct timespec mru_tstamp;
 
 /* provided by parser_lex.l (cannot be used in tst builds) */
 extern FILE *yyin;
@@ -359,8 +361,6 @@ extern int clear_and_convert_entry(std::string& buffer, char *entry);
 extern int process_regex(Profile *prof);
 extern int post_process_entry(struct cod_entry *entry);
 
-extern void reset_regex(void);
-
 extern int process_policydb(Profile *prof);
 
 extern int process_policy_ents(Profile *prof);
diff --git a/parser/parser_lex.l b/parser/parser_lex.l
index 0456843a0..2832a1cc3 100644
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -32,7 +32,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
-#include <dirent.h>
 
 #include <unordered_map>
 #include <string>
@@ -120,7 +119,7 @@ struct cb_struct {
 	const char *filename;
 };
 
-static int include_dir_cb(DIR *dir unused, const char *name, struct stat *st,
+static int include_dir_cb(int dirfd unused, const char *name, struct stat *st,
 			  void *data)
 {
 	struct cb_struct *d = (struct cb_struct *) data;
@@ -179,7 +178,7 @@ void include_filename(char *filename, int search)
 		struct cb_struct data = { fullpath, filename };
 		fclose(include_file);
 		include_file = NULL;
-		if (dirat_for_each(NULL, fullpath, &data, include_dir_cb)) {
+		if (dirat_for_each(AT_FDCWD, fullpath, &data, include_dir_cb)) {
 			yyerror(_("Could not process include directory"
 				  " '%s' in '%s'"), fullpath, filename);;
 		}
@@ -443,7 +442,7 @@ LT_EQUAL	<=
 
 	({IDS}|{QUOTED_ID}) {
 		yylval.id = processid(yytext, yyleng);
-		POP_AND_RETURN(TOK_ID);
+		RETURN_TOKEN(TOK_ID);
 	}
 }
 
@@ -612,7 +611,7 @@ LT_EQUAL	<=
 	PUSH_AND_RETURN(state, token);
 }
 
-<INITIAL,NETWORK_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
+<INITIAL,NETWORK_MODE,RLIMIT_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
 	{END_OF_RULE}	{
 		if (YY_START != INITIAL)
 			POP_NODUMP();
diff --git a/parser/parser_main.c b/parser/parser_main.c
index 8aee1483c..616c1ceda 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -28,7 +28,6 @@
 #include <getopt.h>
 #include <errno.h>
 #include <fcntl.h>
-#include <dirent.h>
 
 /* enable the following line to get voluminous debug info */
 /* #define DEBUG */
@@ -77,7 +76,7 @@ int abort_on_error = 0;			/* stop processing profiles if error */
 int skip_bad_cache_rebuild = 0;
 int mru_skip_cache = 1;
 int debug_cache = 0;
-struct timespec mru_tstamp;
+struct timespec cache_tstamp, mru_policy_tstamp;
 
 static char *apparmorfs = NULL;
 static char *cacheloc = NULL;
@@ -398,7 +397,7 @@ static int process_arg(int c, char *optarg)
 		}
 		break;
 	case 'M':
-		if (aa_features_new(&features, optarg)) {
+		if (aa_features_new(&features, AT_FDCWD, optarg)) {
 			fprintf(stderr,
 				"Failed to load features from '%s': %m\n",
 				optarg);
@@ -601,7 +600,7 @@ int process_binary(int option, aa_kernel_interface *kernel_interface,
 	if (kernel_load) {
 		if (option == OPTION_ADD) {
 			retval = profilename ?
-				 aa_kernel_interface_load_policy_from_file(kernel_interface, profilename) :
+				 aa_kernel_interface_load_policy_from_file(kernel_interface, AT_FDCWD, profilename) :
 				 aa_kernel_interface_load_policy_from_fd(kernel_interface, 0);
 			if (retval == -1) {
 				retval = errno;
@@ -611,7 +610,7 @@ int process_binary(int option, aa_kernel_interface *kernel_interface,
 			}
 		} else if (option == OPTION_REPLACE) {
 			retval = profilename ?
-				 aa_kernel_interface_replace_policy_from_file(kernel_interface, profilename) :
+				 aa_kernel_interface_replace_policy_from_file(kernel_interface, AT_FDCWD, profilename) :
 				 aa_kernel_interface_replace_policy_from_fd(kernel_interface, 0);
 			if (retval == -1) {
 				retval = errno;
@@ -646,12 +645,12 @@ int process_binary(int option, aa_kernel_interface *kernel_interface,
 
 void reset_parser(const char *filename)
 {
-	memset(&mru_tstamp, 0, sizeof(mru_tstamp));
+	memset(&mru_policy_tstamp, 0, sizeof(mru_policy_tstamp));
+	memset(&cache_tstamp, 0, sizeof(cache_tstamp));
 	mru_skip_cache = 1;
 	free_aliases();
 	free_symtabs();
 	free_policies();
-	reset_regex();
 	reset_include_stack(filename);
 }
 
@@ -811,7 +810,7 @@ struct dir_cb_data {
 };
 
 /* data - pointer to a dir_cb_data */
-static int profile_dir_cb(DIR *dir unused, const char *name, struct stat *st,
+static int profile_dir_cb(int dirfd unused, const char *name, struct stat *st,
 			  void *data)
 {
 	int rc = 0;
@@ -828,7 +827,7 @@ static int profile_dir_cb(DIR *dir unused, const char *name, struct stat *st,
 }
 
 /* data - pointer to a dir_cb_data */
-static int binary_dir_cb(DIR *dir unused, const char *name, struct stat *st,
+static int binary_dir_cb(int dirfd unused, const char *name, struct stat *st,
 			 void *data)
 {
 	int rc = 0;
@@ -898,13 +897,15 @@ int main(int argc, char *argv[])
 
 	if ((!skip_cache && (write_cache || !skip_read_cache)) ||
 	    force_clear_cache) {
+		uint16_t max_caches = write_cache && cond_clear_cache ? 1 : 0;
+
 		if (!cacheloc && asprintf(&cacheloc, "%s/cache", basedir) == -1) {
 			PERROR(_("Memory allocation error."));
 			return 1;
 		}
 
 		if (force_clear_cache) {
-			if (aa_policy_cache_remove(cacheloc)) {
+			if (aa_policy_cache_remove(AT_FDCWD, cacheloc)) {
 				PERROR(_("Failed to clear cache files (%s): %s\n"),
 				       cacheloc, strerror(errno));
 				return 1;
@@ -916,31 +917,25 @@ int main(int argc, char *argv[])
 		if (create_cache_dir)
 			pwarn(_("The --create-cache-dir option is deprecated. Please use --write-cache.\n"));
 
-		retval = aa_policy_cache_new(&policy_cache, features, cacheloc,
-					     write_cache);
+		retval = aa_policy_cache_new(&policy_cache, features,
+					     AT_FDCWD, cacheloc, max_caches);
 		if (retval) {
-			if (errno != ENOENT) {
+			if (errno != ENOENT && errno != EEXIST) {
 				PERROR(_("Failed setting up policy cache (%s): %s\n"),
 				       cacheloc, strerror(errno));
 				return 1;
 			}
 
-			write_cache = 0;
-			skip_read_cache = 0;
-		} else if (!aa_policy_cache_is_valid(policy_cache)) {
-			if (write_cache && cond_clear_cache &&
-			    aa_policy_cache_create(policy_cache)) {
-				if (show_cache)
+			if (show_cache) {
+				if (max_caches > 0)
 					PERROR("Cache write disabled: Cannot create cache '%s': %m\n",
 					       cacheloc);
-				write_cache = 0;
-				skip_read_cache = 1;
-			} else if (!write_cache || !cond_clear_cache) {
-				if (show_cache)
+				else
 					PERROR("Cache read/write disabled: Policy cache is invalid\n");
-				write_cache = 0;
-				skip_read_cache = 1;
 			}
+
+			write_cache = 0;
+			skip_read_cache = 1;
 		}
 	}
 
@@ -965,14 +960,14 @@ int main(int argc, char *argv[])
 		}
 
 		if (profilename && S_ISDIR(stat_file.st_mode)) {
-			int (*cb)(DIR *dir, const char *name, struct stat *st,
+			int (*cb)(int dirfd, const char *name, struct stat *st,
 				  void *data);
 			struct dir_cb_data cb_data;
 
 			cb_data.dirname = profilename;
 			cb_data.cachedir = cacheloc;
 			cb = binary_input ? binary_dir_cb : profile_dir_cb;
-			if ((retval = dirat_for_each(NULL, profilename,
+			if ((retval = dirat_for_each(AT_FDCWD, profilename,
 						     &cb_data, cb))) {
 				PDEBUG("Failed loading profiles from %s\n",
 				       profilename);
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index 6c0beb912..e362f245d 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -53,7 +53,7 @@
 
 int is_blacklisted(const char *name, const char *path)
 {
-	int retval = _aa_is_blacklisted(name, path);
+	int retval = _aa_is_blacklisted(name);
 
 	if (retval == -1)
 		PERROR("Ignoring: '%s'\n", path ? path : name);
@@ -332,7 +332,7 @@ reeval:
 		case COD_READ_CHAR:
 			if (read_implies_exec) {
 				PDEBUG("Parsing mode: found %s READ imply X\n", mode_desc);
-				mode |= AA_MAY_READ | AA_EXEC_MMAP;
+				mode |= AA_MAY_READ | AA_OLD_EXEC_MMAP;
 			} else {
 				PDEBUG("Parsing mode: found %s READ\n", mode_desc);
 				mode |= AA_MAY_READ;
@@ -355,12 +355,12 @@ reeval:
 
 		case COD_LINK_CHAR:
 			PDEBUG("Parsing mode: found %s LINK\n", mode_desc);
-			mode |= AA_MAY_LINK;
+			mode |= AA_OLD_MAY_LINK;
 			break;
 
 		case COD_LOCK_CHAR:
 			PDEBUG("Parsing mode: found %s LOCK\n", mode_desc);
-			mode |= AA_MAY_LOCK;
+			mode |= AA_OLD_MAY_LOCK;
 			break;
 
 		case COD_INHERIT_CHAR:
@@ -439,7 +439,7 @@ reeval:
 
 		case COD_MMAP_CHAR:
 			PDEBUG("Parsing mode: found %s MMAP\n", mode_desc);
-			mode |= AA_EXEC_MMAP;
+			mode |= AA_OLD_EXEC_MMAP;
 			break;
 
 		case COD_EXEC_CHAR:
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 96f377ad8..a138b4325 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -492,6 +492,8 @@ static int process_profile_name_xmatch(Profile *prof)
 	return TRUE;
 }
 
+static int warn_change_profile = 1;
+
 static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 {
 	std::string tbuf;
@@ -514,9 +516,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	 * dfa states like it does for pcre
 	 */
 	if ((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT)
-		entry->mode |= AA_EXEC_MMAP << AA_OTHER_SHIFT;
+		entry->mode |= AA_OLD_EXEC_MMAP << AA_OTHER_SHIFT;
 	if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
-		entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
+		entry->mode |= AA_OLD_EXEC_MMAP << AA_USER_SHIFT;
 
 	/* the link bit on the first pair entry should not get masked
 	 * out by a deny rule, as both pieces of the link pair must
@@ -530,8 +532,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	if (entry->deny) {
 		if ((entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE)) &&
 		    !dfarules->add_rule(tbuf.c_str(), entry->deny,
-					entry->mode & ~AA_LINK_BITS,
-					entry->audit & ~AA_LINK_BITS, dfaflags))
+					entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
+					entry->audit & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
+					dfaflags))
 			return FALSE;
 	} else if (entry->mode & ~AA_CHANGE_PROFILE) {
 		if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->mode,
@@ -562,11 +565,25 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
 		const char *vec[3];
-		std::string lbuf;
+		std::string lbuf, xbuf;
 		int index = 1;
 
-		/* allow change_profile for all execs */
-		vec[0] = "/[^\\x00]*";
+		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
+			/* don't have profile name here, so until this code
+			 * gets refactored just throw out a generic warning
+			 */
+			fprintf(stderr, "Warning kernel does not support audit modifier for change_profile rule.\n");
+			warn_change_profile = 0;
+		}
+
+		if (entry->onexec) {
+			ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos);
+			if (ptype == ePatternInvalid)
+				return FALSE;
+			vec[0] = xbuf.c_str();
+		} else
+			/* allow change_profile for all execs */
+			vec[0] = "/[^/\\x00][^\\x00]*";
 
 		if (entry->ns) {
 			int pos;
@@ -576,12 +593,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		vec[index++] = tbuf.c_str();
 
 		/* regular change_profile rule */
-		if (!dfarules->add_rule_vec(0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
+		if (!dfarules->add_rule_vec(entry->deny, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
 			return FALSE;
 		/* onexec rules - both rules are needed for onexec */
-		if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, 1, vec, dfaflags))
+		if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, 1, vec, dfaflags))
 			return FALSE;
-		if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, index, vec, dfaflags))
+		if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, index, vec, dfaflags))
 			return FALSE;
 	}
 	return TRUE;
@@ -762,8 +779,6 @@ int process_profile_policydb(Profile *prof)
 		prof->policy.rules = NULL;
 	}
 
-	aare_reset_matchflags();
-
 	error = 0;
 
 out:
@@ -773,11 +788,6 @@ out:
 	return error;
 }
 
-void reset_regex(void)
-{
-	aare_reset_matchflags();
-}
-
 #ifdef UNIT_TEST
 
 #include "unit_test.h"
diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index e1f6543f2..ac334dcde 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -254,6 +254,11 @@ static int process_variables_in_entries(struct cod_entry *entry_list)
 		error = expand_entry_variables(&entry->name);
 		if (error)
 			return error;
+		if (entry->link_name) {
+			error = expand_entry_variables(&entry->link_name);
+			if (error)
+				return error;
+		}
 	}
 
 	return 0;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index e4660239f..b3083d56a 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -244,6 +244,7 @@ void add_local_entry(Profile *prof);
 %type <flags>	flagval
 %type <cap>	caps
 %type <cap>	capability
+%type <id>	change_profile_head
 %type <user_entry> change_profile
 %type <set_var> TOK_SET_VAR
 %type <bool_var> TOK_BOOL_VAR
@@ -258,6 +259,7 @@ void add_local_entry(Profile *prof);
 %type <boolean> opt_flags
 %type <boolean> opt_perm_mode
 %type <id>	opt_ns
+%type <id>	ns_id
 %type <id>	opt_id
 %type <prefix>  opt_prefix
 %type <fmode>	dbus_perm
@@ -297,8 +299,10 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
 	| TOK_PROFILE { $$ = 1; }
 	| hat_start { $$ = 2; }
 
+ns_id: TOK_COLON id_or_var TOK_COLON { $$ = $2; }
+
 opt_ns: { /* nothing */ $$ = NULL; }
-	| TOK_COLON TOK_ID TOK_COLON { $$ = $2; }
+	| ns_id { $$ = $1; }
 
 opt_id: { /* nothing */ $$ = NULL; }
 	| TOK_ID { $$ = $1; }
@@ -785,13 +789,23 @@ rules:  rules opt_prefix unix_rule
 		$$ = $1;
 	}
 
-rules:	rules change_profile
+rules:	rules opt_prefix change_profile
 	{
 		PDEBUG("matched: rules change_profile\n");
-		PDEBUG("rules change_profile: (%s)\n", $2->name);
-		if (!$2)
+		PDEBUG("rules change_profile: (%s)\n", $3->name);
+		if (!$3)
 			yyerror(_("Assert: `change_profile' returned NULL."));
-		add_entry_to_policy($1, $2);
+		if ($2.owner)
+			yyerror(_("owner prefix not allowed on unix rules"));
+		if ($2.deny && $2.audit) {
+			$3->deny = 1;
+		} else if ($2.deny) {
+			$3->deny = 1;
+			$3->audit = $3->mode;
+		} else if ($2.audit) {
+			$3->audit = $3->mode;
+		}
+		add_entry_to_policy($1, $3);
 		$$ = $1;
 	};
 
@@ -1043,11 +1057,11 @@ opt_named_transition:
 		$$.ns = NULL;
 		$$.name = $2;
 	}
-	| TOK_ARROW TOK_COLON id_or_var TOK_COLON id_or_var
+	| TOK_ARROW ns_id id_or_var
 	{
 		$$.present = 1;
-		$$.ns = $3;
-		$$.name = $5;
+		$$.ns = $2;
+		$$.name = $3;
 	};
 
 rule: file_rule { $$ = $1; }
@@ -1120,7 +1134,7 @@ file_rule_tail: opt_unsafe id_or_var file_mode id_or_var
 		yyerror(_("missing an end of line character? (entry: %s)"), $2);
 	};
 
-link_rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
+link_rule: TOK_LINK opt_subset_flag id_or_var TOK_ARROW id_or_var TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
 		PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5);
@@ -1481,29 +1495,38 @@ file_mode: TOK_MODE
 		free($1);
 	}
 
-change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE
+change_profile_head: TOK_CHANGE_PROFILE opt_id
+	{
+		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
+			yyerror(_("Exec condition must begin with '/'."));
+		$$ = $2;
+	}
+
+change_profile: change_profile_head TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
-		PDEBUG("Matched change_profile: tok_id (%s)\n", $3);
-		entry = new_entry(NULL, $3, AA_CHANGE_PROFILE, NULL);
+		char *rule = strdup("**");
+		if (!rule)
+			yyerror(_("Memory allocation error."));
+		PDEBUG("Matched change_profile,\n");
+		entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, $1);
+		if (!entry)
+			yyerror(_("Memory allocation error."));
+		PDEBUG("change_profile,\n");
+		$$ = entry;
+	};
+
+change_profile:	change_profile_head TOK_ARROW opt_ns TOK_ID TOK_END_OF_RULE
+	{
+		struct cod_entry *entry;
+		PDEBUG("Matched change_profile: tok_id (:%s://%s)\n", $3 ? $3 : "", $4);
+		entry = new_entry($3, $4, AA_CHANGE_PROFILE, $1);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("change_profile.entry: (%s)\n", entry->name);
 		$$ = entry;
 	};
 
-change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
-	{
-		struct cod_entry *entry;
-		PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $4, $6);
-		entry = new_entry($4, $6, AA_CHANGE_PROFILE, NULL);
-		if (!entry)
-			yyerror(_("Memory allocation error."));
-		PDEBUG("change_profile.entry: (%s)\n", entry->name);
-		$$ = entry;
-	};
-
-
 capability:	TOK_CAPABILITY caps TOK_END_OF_RULE
 	{
 		if ($2 == 0) {
diff --git a/parser/policy_cache.c b/parser/policy_cache.c
index fc4912edd..4ba732cb4 100644
--- a/parser/policy_cache.c
+++ b/parser/policy_cache.c
@@ -25,6 +25,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/stat.h>
+#include <sys/time.h>
+#include <utime.h>
 
 #include "lib.h"
 #include "parser.h"
@@ -70,22 +72,27 @@ bool valid_cached_file_version(const char *cachename)
 }
 
 
-void set_mru_tstamp(struct timespec t)
+void set_cache_tstamp(struct timespec t)
 {
 	mru_skip_cache = 0;
-	mru_tstamp = t;
+	cache_tstamp = t;
 }
 
 void update_mru_tstamp(FILE *file, const char *name)
 {
 	struct stat stat_file;
-	if (fstat(fileno(file), &stat_file) || (mru_tstamp.tv_sec == 0 && mru_tstamp.tv_nsec == 0))
+	if (fstat(fileno(file), &stat_file))
 		return;
-	if (mru_t_cmp(stat_file.st_mtim)) {
+	if (tstamp_cmp(mru_policy_tstamp, stat_file.st_mtim) < 0)
+		/* keep track of the most recent policy tstamp */
+		mru_policy_tstamp = stat_file.st_mtim;
+	if (tstamp_is_null(cache_tstamp))
+		return;
+	if (tstamp_cmp(stat_file.st_mtim, cache_tstamp) > 0) {
 		if (debug_cache)
 			pwarn("%s: file '%s' is newer than cache file\n", progname, name);
 		mru_skip_cache = 1;
-       }
+	}
 }
 
 char *cache_filename(const char *cachedir, const char *basename)
@@ -109,7 +116,7 @@ void valid_read_cache(const char *cachename)
 		if (stat(cachename, &stat_bin) == 0 &&
 		    stat_bin.st_size > 0) {
 			if (valid_cached_file_version(cachename))
-				set_mru_tstamp(stat_bin.st_ctim);
+				set_cache_tstamp(stat_bin.st_mtim);
 			else if (!cond_clear_cache)
 				write_cache = 0;
 		} else {
@@ -159,6 +166,12 @@ void install_cache(const char *cachetmpname, const char *cachename)
 	/* Only install the generate cache file if it parsed correctly
 	   and did not have write/close errors */
 	if (cachetmpname) {
+		struct timeval t;
+		/* set the mtime of the cache file to the most newest mtime
+		 * of policy files used to generate it
+		 */
+		TIMESPEC_TO_TIMEVAL(&t, &mru_policy_tstamp);
+		utimes(cachetmpname, &t);
 		if (rename(cachetmpname, cachename) < 0) {
 			pwarn("Warning failed to write cache: %s\n", cachename);
 			unlink(cachetmpname);
diff --git a/parser/policy_cache.h b/parser/policy_cache.h
index 3c3e85d59..693370d00 100644
--- a/parser/policy_cache.h
+++ b/parser/policy_cache.h
@@ -19,12 +19,14 @@
 #ifndef __AA_POLICY_CACHE_H
 #define __AA_POLICY_CACHE_H
 
-extern struct timespec mru_tstamp;
+extern struct timespec cache_tstamp, mru_policy_tstamp;
 
 /* returns true if time is more recent than mru_tstamp */
-#define mru_t_cmp(a) \
-(((a).tv_sec == (mru_tstamp).tv_sec) ? \
-  (a).tv_nsec > (mru_tstamp).tv_nsec : (a).tv_sec > (mru_tstamp).tv_sec)
+#define tstamp_cmp(a, b)						\
+  (((a).tv_sec == (b).tv_sec) ?						\
+   ((a).tv_nsec - (b).tv_nsec) :					\
+   ((a).tv_sec - (b).tv_sec))
+#define tstamp_is_null(a) ((a).tv_sec == 0 && (a).tv_nsec == 0)
 
 extern int show_cache;
 extern int skip_cache;
@@ -36,7 +38,7 @@ extern int create_cache_dir;		/* create the cache dir if missing? */
 extern int mru_skip_cache;
 extern int debug_cache;
 
-void set_mru_tstamp(struct timespec t);
+void set_cache_tstamp(struct timespec t);
 void update_mru_tstamp(FILE *file, const char *path);
 bool valid_cached_file_version(const char *cachename);
 char *cache_filename(const char *cachedir, const char *basename);
diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index 89a048eb9..3beed2743 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -458,6 +458,12 @@ verify_binary_equality "Deny of ungranted perm" \
 		       "/t { /foo/[abc] r, }"
 
 
+verify_binary_equality "change_profile == change_profile -> **" \
+		       "/t { change_profile, }" \
+		       "/t { change_profile -> **, }" \
+		       "/t { change_profile /**, }" \
+		       "/t { change_profile /** -> **, }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
diff --git a/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd
new file mode 100644
index 000000000..0763dc89c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_1.sd b/parser/tst/simple_tests/change_profile/a_ok_1.sd
new file mode 100644
index 000000000..8dcac5aef
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_2.sd b/parser/tst/simple_tests/change_profile/a_ok_2.sd
new file mode 100644
index 000000000..5967dc8db
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_3.sd b/parser/tst/simple_tests/change_profile/a_ok_3.sd
new file mode 100644
index 000000000..fba476884
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_4.sd b/parser/tst/simple_tests/change_profile/a_ok_4.sd
new file mode 100644
index 000000000..025d9d3cf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_5.sd b/parser/tst/simple_tests/change_profile/a_ok_5.sd
new file mode 100644
index 000000000..9b336e567
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_6.sd b/parser/tst/simple_tests/change_profile/a_ok_6.sd
new file mode 100644
index 000000000..57684d14b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_7.sd b/parser/tst/simple_tests/change_profile/a_ok_7.sd
new file mode 100644
index 000000000..879be48dc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/a_ok_8.sd b/parser/tst/simple_tests/change_profile/a_ok_8.sd
new file mode 100644
index 000000000..01e6dc78a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_1.sd b/parser/tst/simple_tests/change_profile/a_re_ok_1.sd
new file mode 100644
index 000000000..3ff2991fe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_2.sd b/parser/tst/simple_tests/change_profile/a_re_ok_2.sd
new file mode 100644
index 000000000..a113defa4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_3.sd b/parser/tst/simple_tests/change_profile/a_re_ok_3.sd
new file mode 100644
index 000000000..d60133e8c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_4.sd b/parser/tst/simple_tests/change_profile/a_re_ok_4.sd
new file mode 100644
index 000000000..a379127e0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_5.sd b/parser/tst/simple_tests/change_profile/a_re_ok_5.sd
new file mode 100644
index 000000000..5dc20208c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_6.sd b/parser/tst/simple_tests/change_profile/a_re_ok_6.sd
new file mode 100644
index 000000000..436ee3c44
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_7.sd b/parser/tst/simple_tests/change_profile/a_re_ok_7.sd
new file mode 100644
index 000000000..3452d3af0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_8.sd b/parser/tst/simple_tests/change_profile/a_re_ok_8.sd
new file mode 100644
index 000000000..694892866
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/a_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_1.sd b/parser/tst/simple_tests/change_profile/aa_ok_1.sd
new file mode 100644
index 000000000..4950d9a4c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_2.sd b/parser/tst/simple_tests/change_profile/aa_ok_2.sd
new file mode 100644
index 000000000..1ba7e7475
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_3.sd b/parser/tst/simple_tests/change_profile/aa_ok_3.sd
new file mode 100644
index 000000000..208d8076c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_4.sd b/parser/tst/simple_tests/change_profile/aa_ok_4.sd
new file mode 100644
index 000000000..9d139de4c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_5.sd b/parser/tst/simple_tests/change_profile/aa_ok_5.sd
new file mode 100644
index 000000000..9ba2675d7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_6.sd b/parser/tst/simple_tests/change_profile/aa_ok_6.sd
new file mode 100644
index 000000000..12182890c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_7.sd b/parser/tst/simple_tests/change_profile/aa_ok_7.sd
new file mode 100644
index 000000000..77c7be692
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_ok_8.sd b/parser/tst/simple_tests/change_profile/aa_ok_8.sd
new file mode 100644
index 000000000..786505bef
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd
new file mode 100644
index 000000000..7cfc02787
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd
new file mode 100644
index 000000000..a8967f87d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit allow change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd
new file mode 100644
index 000000000..1c533aee5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit allow change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd
new file mode 100644
index 000000000..297915a70
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit allow change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd
new file mode 100644
index 000000000..3e01b85f2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit allow change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit allow change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd
new file mode 100644
index 000000000..7558377f4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit allow change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd
new file mode 100644
index 000000000..b522af806
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit allow change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd
new file mode 100644
index 000000000..6a15f5a14
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit allow change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit allow change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/aao_bad_6.sd b/parser/tst/simple_tests/change_profile/aao_bad_6.sd
new file mode 100644
index 000000000..b4109d2b9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/aao_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed on change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd
new file mode 100644
index 000000000..e236803e9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_ok_1.sd
new file mode 100644
index 000000000..7df874c67
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_2.sd b/parser/tst/simple_tests/change_profile/ad_ok_2.sd
new file mode 100644
index 000000000..9ca265ade
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_3.sd b/parser/tst/simple_tests/change_profile/ad_ok_3.sd
new file mode 100644
index 000000000..ca9537995
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_4.sd b/parser/tst/simple_tests/change_profile/ad_ok_4.sd
new file mode 100644
index 000000000..368389d98
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_5.sd b/parser/tst/simple_tests/change_profile/ad_ok_5.sd
new file mode 100644
index 000000000..40ac16795
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_6.sd b/parser/tst/simple_tests/change_profile/ad_ok_6.sd
new file mode 100644
index 000000000..cd0af01d8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_7.sd b/parser/tst/simple_tests/change_profile/ad_ok_7.sd
new file mode 100644
index 000000000..c5c44d04f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_ok_8.sd b/parser/tst/simple_tests/change_profile/ad_ok_8.sd
new file mode 100644
index 000000000..e2f04d782
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd
new file mode 100644
index 000000000..15268bc8e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd
new file mode 100644
index 000000000..936f1dec9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd
new file mode 100644
index 000000000..00bb7105c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd
new file mode 100644
index 000000000..3e7837018
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit deny change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd
new file mode 100644
index 000000000..960d6ca40
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit deny change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit deny change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd
new file mode 100644
index 000000000..b3ef1c633
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit deny change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd
new file mode 100644
index 000000000..db58ac4a5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit deny change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd
new file mode 100644
index 000000000..dd8aca3d7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit deny change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit deny change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/ado_bad_1.sd b/parser/tst/simple_tests/change_profile/ado_bad_1.sd
new file mode 100644
index 000000000..535c15c71
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ado_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed on change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd
new file mode 100644
index 000000000..116f3c3ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_1.sd b/parser/tst/simple_tests/change_profile/allow_ok_1.sd
new file mode 100644
index 000000000..77bec70b6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_2.sd b/parser/tst/simple_tests/change_profile/allow_ok_2.sd
new file mode 100644
index 000000000..afa79e73e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_3.sd b/parser/tst/simple_tests/change_profile/allow_ok_3.sd
new file mode 100644
index 000000000..3a96d7f7c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_4.sd b/parser/tst/simple_tests/change_profile/allow_ok_4.sd
new file mode 100644
index 000000000..668d422fa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   allow change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_5.sd b/parser/tst/simple_tests/change_profile/allow_ok_5.sd
new file mode 100644
index 000000000..bd8aa5bdf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_6.sd b/parser/tst/simple_tests/change_profile/allow_ok_6.sd
new file mode 100644
index 000000000..7ad9c5a56
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_7.sd b/parser/tst/simple_tests/change_profile/allow_ok_7.sd
new file mode 100644
index 000000000..9e233020f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_ok_8.sd b/parser/tst/simple_tests/change_profile/allow_ok_8.sd
new file mode 100644
index 000000000..ee57c06fe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd
new file mode 100644
index 000000000..268cba2b3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION allow change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd
new file mode 100644
index 000000000..76a5adb0e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION allow change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd
new file mode 100644
index 000000000..b1dc55799
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION allow change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd
new file mode 100644
index 000000000..b656b2f65
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION allow change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   allow change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd
new file mode 100644
index 000000000..0a4a6e5d5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION allow change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   allow change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd
new file mode 100644
index 000000000..1ca41341d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   allow change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd
new file mode 100644
index 000000000..6c6ee92c8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   allow change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   allow change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd
new file mode 100644
index 000000000..985e7f240
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION allow change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   allow change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   allow change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   allow change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   allow change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   allow change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   allow change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   allow change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   allow change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   allow change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   allow change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/allowo_bad_1.sd b/parser/tst/simple_tests/change_profile/allowo_bad_1.sd
new file mode 100644
index 000000000..fde8f4987
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/allowo_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allow in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   allow owner change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/ao_badh_1.sd b/parser/tst/simple_tests/change_profile/ao_badh_1.sd
new file mode 100644
index 000000000..090ba9963
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/ao_badh_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/bare_ok_1.sd b/parser/tst/simple_tests/change_profile/bare_ok_1.sd
new file mode 100644
index 000000000..3ea58d28c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd
new file mode 100644
index 000000000..fcb0b5e75
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_1.sd b/parser/tst/simple_tests/change_profile/d_ok_1.sd
new file mode 100644
index 000000000..be02edef8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_2.sd b/parser/tst/simple_tests/change_profile/d_ok_2.sd
new file mode 100644
index 000000000..8004d8834
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_3.sd b/parser/tst/simple_tests/change_profile/d_ok_3.sd
new file mode 100644
index 000000000..1ce12ad85
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_4.sd b/parser/tst/simple_tests/change_profile/d_ok_4.sd
new file mode 100644
index 000000000..84269dcb9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny change_profile -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_5.sd b/parser/tst/simple_tests/change_profile/d_ok_5.sd
new file mode 100644
index 000000000..a443277cf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_6.sd b/parser/tst/simple_tests/change_profile/d_ok_6.sd
new file mode 100644
index 000000000..ef71d781a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_7.sd b/parser/tst/simple_tests/change_profile/d_ok_7.sd
new file mode 100644
index 000000000..4030e95c5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/d_ok_8.sd b/parser/tst/simple_tests/change_profile/d_ok_8.sd
new file mode 100644
index 000000000..cce3b32d3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_1.sd b/parser/tst/simple_tests/change_profile/d_re_ok_1.sd
new file mode 100644
index 000000000..975b9b4c6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION deny change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_2.sd b/parser/tst/simple_tests/change_profile/d_re_ok_2.sd
new file mode 100644
index 000000000..8d7f69526
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION deny change_profile to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_3.sd b/parser/tst/simple_tests/change_profile/d_re_ok_3.sd
new file mode 100644
index 000000000..0cfd4b1e1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION deny change_profile with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_4.sd b/parser/tst/simple_tests/change_profile/d_re_ok_4.sd
new file mode 100644
index 000000000..5dcdd8833
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION deny change_profile with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   deny change_profile -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_5.sd b/parser/tst/simple_tests/change_profile/d_re_ok_5.sd
new file mode 100644
index 000000000..0972013a3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION deny change_profile with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   deny change_profile -> *,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> **,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> ?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> [ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_6.sd b/parser/tst/simple_tests/change_profile/d_re_ok_6.sd
new file mode 100644
index 000000000..970ea0a4c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   deny change_profile -> *//ab,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> **//ab,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> ab//*,
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> ab//**,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> ab//?,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> *//*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> **//*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> ?//*,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_7.sd b/parser/tst/simple_tests/change_profile/d_re_ok_7.sd
new file mode 100644
index 000000000..5a2319ade
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   deny change_profile -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   deny change_profile -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> :*:*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> :**:**,
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> :?:?,
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_8.sd b/parser/tst/simple_tests/change_profile/d_re_ok_8.sd
new file mode 100644
index 000000000..cda4bedea
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/d_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION deny change_profile re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   deny change_profile -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   deny change_profile -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   deny change_profile -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   deny change_profile -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   deny change_profile -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   deny change_profile -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   deny change_profile -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   deny change_profile -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   deny change_profile -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   deny change_profile -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd
new file mode 100644
index 000000000..40d77709d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd
new file mode 100644
index 000000000..e8fa9ea63
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile,
+}
diff --git a/parser/tst/simple_tests/change_profile/o_bad_1.sd b/parser/tst/simple_tests/change_profile/o_bad_1.sd
new file mode 100644
index 000000000..36a7f842c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/o_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_a_bare_ok_1.sd
new file mode 100644
index 000000000..55d3e0794
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_1.sd
new file mode 100644
index 000000000..4526f98a4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_2.sd
new file mode 100644
index 000000000..529d15bfa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_3.sd
new file mode 100644
index 000000000..af779d1f0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_4.sd
new file mode 100644
index 000000000..ba08089a4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_5.sd
new file mode 100644
index 000000000..dac84113c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_6.sd
new file mode 100644
index 000000000..3045a64fe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_7.sd
new file mode 100644
index 000000000..c7bf40833
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_a_ok_8.sd
new file mode 100644
index 000000000..8078a7f5e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_1.sd
new file mode 100644
index 000000000..b476e08b0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_2.sd
new file mode 100644
index 000000000..05d3c945f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_3.sd
new file mode 100644
index 000000000..13777a20e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_4.sd
new file mode 100644
index 000000000..61987523b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_5.sd
new file mode 100644
index 000000000..16f5266e0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+   audit change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_6.sd
new file mode 100644
index 000000000..b0418d643
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_7.sd
new file mode 100644
index 000000000..6a3891266
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_a_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_a_re_ok_8.sd
new file mode 100644
index 000000000..db9d36d46
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_a_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_1.sd
new file mode 100644
index 000000000..d1d7d4cdd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_2.sd
new file mode 100644
index 000000000..a1f8d7ae4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_3.sd
new file mode 100644
index 000000000..7b298c0f9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_4.sd
new file mode 100644
index 000000000..9013cded1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_5.sd
new file mode 100644
index 000000000..bf5c4f4c2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_6.sd
new file mode 100644
index 000000000..c409d6562
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_7.sd
new file mode 100644
index 000000000..c795523ef
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_aa_ok_8.sd
new file mode 100644
index 000000000..ee3d46155
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_1.sd
new file mode 100644
index 000000000..27d97e6a7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_2.sd
new file mode 100644
index 000000000..f23a7a3a8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit allow change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_3.sd
new file mode 100644
index 000000000..9df4f009f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit allow change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit allow change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_4.sd
new file mode 100644
index 000000000..b99b9a2ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit allow change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_5.sd
new file mode 100644
index 000000000..dc757447c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit allow change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_6.sd
new file mode 100644
index 000000000..1af2d9d74
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit allow change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_7.sd
new file mode 100644
index 000000000..a23c949b7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit allow change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit allow change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit allow change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit allow change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit allow change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aa_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_8.sd
new file mode 100644
index 000000000..273b40462
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aa_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit allow change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit allow change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit allow change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit allow change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit allow change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit allow change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit allow change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit allow change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit allow change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit allow change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit allow change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_1.sd
new file mode 100644
index 000000000..c5c19ce33
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_2.sd
new file mode 100644
index 000000000..62c86f385
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_3.sd
new file mode 100644
index 000000000..918ef5ed3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_4.sd
new file mode 100644
index 000000000..f5bf48245
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_5.sd
new file mode 100644
index 000000000..f64fc1596
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_6.sd
new file mode 100644
index 000000000..5d4a06996
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> "/bin/foo",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_7.sd
new file mode 100644
index 000000000..564159049
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> "/bin/foo//bar",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_aao_bad_8.sd
new file mode 100644
index 000000000..f78f77688
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> ":foo:/bin/foo",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_1.sd
new file mode 100644
index 000000000..a38bdbc5e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_2.sd
new file mode 100644
index 000000000..62c86f385
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_3.sd
new file mode 100644
index 000000000..918ef5ed3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_4.sd
new file mode 100644
index 000000000..2decefc31
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_5.sd
new file mode 100644
index 000000000..b6df50fde
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> *,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_6.sd
new file mode 100644
index 000000000..2c18c5f08
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_7.sd
new file mode 100644
index 000000000..ddf814091
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+   audit allow owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_aao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_8.sd
new file mode 100644
index 000000000..d04f634d9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_aao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   audit allow owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ad_bare_ok_1.sd
new file mode 100644
index 000000000..26c387222
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_1.sd
new file mode 100644
index 000000000..b6afda126
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_2.sd
new file mode 100644
index 000000000..4efadb097
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_3.sd
new file mode 100644
index 000000000..0a4f4fe01
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_4.sd
new file mode 100644
index 000000000..ece6b23bb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_5.sd
new file mode 100644
index 000000000..a2e4b687d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_6.sd
new file mode 100644
index 000000000..c99bce2fb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_7.sd
new file mode 100644
index 000000000..b89a11cb9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_ad_ok_8.sd
new file mode 100644
index 000000000..2fdce8f77
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_1.sd
new file mode 100644
index 000000000..348253972
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_2.sd
new file mode 100644
index 000000000..57f7866d5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_3.sd
new file mode 100644
index 000000000..26b50ab86
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   audit deny change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_4.sd
new file mode 100644
index 000000000..a3a5e555f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit deny change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_5.sd
new file mode 100644
index 000000000..a30b256e6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit deny change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_6.sd
new file mode 100644
index 000000000..efd84fa3a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   audit deny change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_7.sd
new file mode 100644
index 000000000..a5bec80ec
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   audit deny change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ad_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_8.sd
new file mode 100644
index 000000000..6157fe7a2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ad_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION audit deny change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   audit deny change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_1.sd
new file mode 100644
index 000000000..dabb5055f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_2.sd
new file mode 100644
index 000000000..0e5bbe685
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_3.sd
new file mode 100644
index 000000000..dd9947747
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_4.sd
new file mode 100644
index 000000000..6e2338999
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_5.sd
new file mode 100644
index 000000000..9b468de12
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_6.sd
new file mode 100644
index 000000000..a966f2d93
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_7.sd
new file mode 100644
index 000000000..d33957fb0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ado_bad_8.sd
new file mode 100644
index 000000000..c97874c05
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ado_bare_bad_1.sd
new file mode 100644
index 000000000..e20ef89c4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_1.sd
new file mode 100644
index 000000000..810a5f9c2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_2.sd
new file mode 100644
index 000000000..0e5bbe685
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_3.sd
new file mode 100644
index 000000000..dd9947747
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_4.sd
new file mode 100644
index 000000000..3717892a7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_5.sd
new file mode 100644
index 000000000..a50e38063
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_6.sd
new file mode 100644
index 000000000..01486e88b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_7.sd
new file mode 100644
index 000000000..df3d8c9fc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+   audit deny owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ado_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_8.sd
new file mode 100644
index 000000000..cfa26b36c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ado_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   audit deny owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_1.sd
new file mode 100644
index 000000000..ae9b0f586
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_2.sd
new file mode 100644
index 000000000..a6b5bf17e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_3.sd
new file mode 100644
index 000000000..63285c4f6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_4.sd
new file mode 100644
index 000000000..729d29188
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   allow change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_5.sd
new file mode 100644
index 000000000..2c7559da7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION allow change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   allow change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_6.sd
new file mode 100644
index 000000000..762ecb3ca
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_7.sd
new file mode 100644
index 000000000..0ba910152
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_allow_ok_8.sd
new file mode 100644
index 000000000..5eaa61254
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_1.sd
new file mode 100644
index 000000000..a3ad88451
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION allow change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_2.sd
new file mode 100644
index 000000000..2512b8910
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION allow change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   allow change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   allow change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   allow change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   allow change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   allow change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_3.sd
new file mode 100644
index 000000000..986f6f3a1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION allow change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   allow change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   allow change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   allow change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   allow change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   allow change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   allow change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_4.sd
new file mode 100644
index 000000000..96b2574a3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION allow change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   allow change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   allow change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   allow change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   allow change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   allow change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   allow change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   allow change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_5.sd
new file mode 100644
index 000000000..00bf67814
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION allow change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   allow change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+   allow change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_6.sd
new file mode 100644
index 000000000..f96f5786c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   allow change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+   allow change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   allow change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   allow change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+   allow change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+   allow change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+   allow change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   allow change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+   allow change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   allow change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_7.sd
new file mode 100644
index 000000000..44388d41c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION allow change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   allow change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   allow change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   allow change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   allow change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   allow change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   allow change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+   allow change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+   allow change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   allow change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_allow_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_8.sd
new file mode 100644
index 000000000..e445afe45
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_allow_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION allow change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   allow change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   allow change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   allow change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   allow change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   allow change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   allow change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   allow change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   allow change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   allow change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   allow change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_1.sd
new file mode 100644
index 000000000..cf5212faa
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_2.sd
new file mode 100644
index 000000000..e5c1097cb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_3.sd
new file mode 100644
index 000000000..87f4339f2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_4.sd
new file mode 100644
index 000000000..e64b22249
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_5.sd
new file mode 100644
index 000000000..349586705
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   audit owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_6.sd
new file mode 100644
index 000000000..c4f87d2b9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_7.sd
new file mode 100644
index 000000000..86d3a29c1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ao_bad_8.sd
new file mode 100644
index 000000000..178879c8b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ao_bare_bad_1.sd
new file mode 100644
index 000000000..665278538
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_1.sd
new file mode 100644
index 000000000..b437a2d2e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_2.sd
new file mode 100644
index 000000000..e5c1097cb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_3.sd
new file mode 100644
index 000000000..87f4339f2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   audit owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_4.sd
new file mode 100644
index 000000000..016d0b2cb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   audit owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_5.sd
new file mode 100644
index 000000000..f076d90f4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   audit owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_6.sd
new file mode 100644
index 000000000..586b78c01
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   audit owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_7.sd
new file mode 100644
index 000000000..1e4baf922
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+   audit owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_8.sd
new file mode 100644
index 000000000..dd86e4085
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   audit owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_bare_ok_1.sd
new file mode 100644
index 000000000..1cf801819
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_d_bare_ok_1.sd
new file mode 100644
index 000000000..5323b2e91
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_1.sd
new file mode 100644
index 000000000..ff6a210d1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_2.sd
new file mode 100644
index 000000000..3d6d11974
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_3.sd
new file mode 100644
index 000000000..5f78552ea
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_4.sd
new file mode 100644
index 000000000..10ce711b4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_5.sd
new file mode 100644
index 000000000..dd15937f9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_6.sd
new file mode 100644
index 000000000..09d45da6b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_7.sd
new file mode 100644
index 000000000..84b19227b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_d_ok_8.sd
new file mode 100644
index 000000000..2e0c0585f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_1.sd
new file mode 100644
index 000000000..4b5efe411
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION deny change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_2.sd
new file mode 100644
index 000000000..4399e8f32
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION deny change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   deny change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   deny change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   deny change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   deny change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   deny change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_3.sd
new file mode 100644
index 000000000..c16918b7d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION deny change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   deny change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   deny change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   deny change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   deny change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   deny change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   deny change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_4.sd
new file mode 100644
index 000000000..b0e6955c2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION deny change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   deny change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   deny change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   deny change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   deny change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   deny change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   deny change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   deny change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_5.sd
new file mode 100644
index 000000000..b88581870
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION deny change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   deny change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+   deny change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_6.sd
new file mode 100644
index 000000000..f8e0d637b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   deny change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+   deny change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   deny change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   deny change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+   deny change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+   deny change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+   deny change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   deny change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+   deny change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   deny change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_7.sd
new file mode 100644
index 000000000..2e5427789
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION deny change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   deny change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   deny change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   deny change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   deny change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   deny change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   deny change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+   deny change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+   deny change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   deny change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_d_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_d_re_ok_8.sd
new file mode 100644
index 000000000..790c0ba36
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_d_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION deny change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   deny change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   deny change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   deny change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   deny change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   deny change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   deny change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   deny change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   deny change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   deny change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   deny change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_1.sd
new file mode 100644
index 000000000..2a89bd567
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_2.sd
new file mode 100644
index 000000000..596558cc2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_3.sd
new file mode 100644
index 000000000..b4ea08ef8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_4.sd
new file mode 100644
index 000000000..2a38dbe66
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny audit change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_5.sd
new file mode 100644
index 000000000..bcd53b62b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny audit change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_6.sd
new file mode 100644
index 000000000..6c5393d19
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_7.sd
new file mode 100644
index 000000000..60a26d781
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_da_bad_8.sd
new file mode 100644
index 000000000..8635df64c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_da_bare_bad_1.sd
new file mode 100644
index 000000000..98c9a330d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_1.sd
new file mode 100644
index 000000000..07a159242
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_2.sd
new file mode 100644
index 000000000..6707a555e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_3.sd
new file mode 100644
index 000000000..46331101d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny audit change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_4.sd
new file mode 100644
index 000000000..24e2f1d02
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   deny audit change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_5.sd
new file mode 100644
index 000000000..c3eed8477
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   deny audit change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_6.sd
new file mode 100644
index 000000000..3c8d008fb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   deny audit change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_7.sd
new file mode 100644
index 000000000..a9664f382
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+   deny audit change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_da_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_da_re_bad_8.sd
new file mode 100644
index 000000000..66439f06c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_da_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   deny audit change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_1.sd
new file mode 100644
index 000000000..3607dc77f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_2.sd
new file mode 100644
index 000000000..cce085b0d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_3.sd
new file mode 100644
index 000000000..fd6d90281
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_4.sd
new file mode 100644
index 000000000..226204a68
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_5.sd
new file mode 100644
index 000000000..a78fb5bc1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   deny owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_6.sd
new file mode 100644
index 000000000..efdef28a7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_7.sd
new file mode 100644
index 000000000..7352d4a5d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_do_bad_8.sd
new file mode 100644
index 000000000..2a10839ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_do_bare_bad_1.sd
new file mode 100644
index 000000000..89d8567b0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_1.sd
new file mode 100644
index 000000000..69c1d7449
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_2.sd
new file mode 100644
index 000000000..cce085b0d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_3.sd
new file mode 100644
index 000000000..fd6d90281
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   deny owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_4.sd
new file mode 100644
index 000000000..05f163043
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   deny owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_5.sd
new file mode 100644
index 000000000..4e757f5df
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   deny owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_6.sd
new file mode 100644
index 000000000..1884d3416
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   deny owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_7.sd
new file mode 100644
index 000000000..9c03a3a73
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+   deny owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_do_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_do_re_bad_8.sd
new file mode 100644
index 000000000..0a26b2c57
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_do_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   deny owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_1.sd
new file mode 100644
index 000000000..5b8f32fae
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_2.sd
new file mode 100644
index 000000000..91722ce5c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_3.sd
new file mode 100644
index 000000000..68b84d7a0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_4.sd
new file mode 100644
index 000000000..53e640873
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   owner change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_5.sd
new file mode 100644
index 000000000..197f30aa5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   owner change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_6.sd
new file mode 100644
index 000000000..d5fae4e76
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_7.sd
new file mode 100644
index 000000000..83ef00156
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_7.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_o_bad_8.sd
new file mode 100644
index 000000000..60b6c1a6c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bad_8.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_o_bare_bad_1.sd
new file mode 100644
index 000000000..3510a0669
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_bare_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_1.sd
new file mode 100644
index 000000000..eaa660b82
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_2.sd
new file mode 100644
index 000000000..91722ce5c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_3.sd
new file mode 100644
index 000000000..68b84d7a0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+/usr/bin/foo {
+   owner change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_4.sd
new file mode 100644
index 000000000..6600c3849
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   owner change_profile /onexec -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_5.sd
new file mode 100644
index 000000000..f9d63cfff
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_5.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   owner change_profile /onexec -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_6.sd
new file mode 100644
index 000000000..1b92a7312
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo {
+   owner change_profile /onexec -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_7.sd
new file mode 100644
index 000000000..16cd8b3f7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+/usr/bin/foo {
+   owner change_profile /onexec -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_o_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onx_o_re_bad_8.sd
new file mode 100644
index 000000000..7ea2ce794
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_o_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   owner change_profile /onexec -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_ok_1.sd
new file mode 100644
index 000000000..d51ae1b8f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_ok_2.sd
new file mode 100644
index 000000000..d24ae104a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_ok_3.sd
new file mode 100644
index 000000000..2d3179e41
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_ok_4.sd
new file mode 100644
index 000000000..31c2104c0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_4.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   change_profile /onexec -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_ok_5.sd
new file mode 100644
index 000000000..3b7d45e3e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_5.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION change_profile /onexec with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+/usr/bin/foo {
+   change_profile /onexec -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_ok_6.sd
new file mode 100644
index 000000000..a5fd2d5e6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile /onexec with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_ok_7.sd
new file mode 100644
index 000000000..2b318caae
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_7.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile /onexec to a hat with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_ok_8.sd
new file mode 100644
index 000000000..23b185e41
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_ok_8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile /onexec with name space with quotes
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_1.sd
new file mode 100644
index 000000000..1ebfc68d6
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_1.sd
@@ -0,0 +1,24 @@
+#
+#=DESCRIPTION change_profile /onexec
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   change_profile /onexec -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   change_profile /onexec -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   change_profile /onexec -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_2.sd
new file mode 100644
index 000000000..7578203b7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_2.sd
@@ -0,0 +1,69 @@
+#
+#=DESCRIPTION change_profile /onexec to a hat
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   change_profile /onexec -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   change_profile /onexec -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   change_profile /onexec -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   change_profile /onexec -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   change_profile /onexec -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   change_profile /onexec -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   change_profile /onexec -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   change_profile /onexec -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   change_profile /onexec -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   change_profile /onexec -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   change_profile /onexec -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   change_profile /onexec -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   change_profile /onexec -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   change_profile /onexec -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_3.sd
new file mode 100644
index 000000000..4d5c05470
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_3.sd
@@ -0,0 +1,67 @@
+#
+#=DESCRIPTION change_profile /onexec with name space
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile /onexec -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   change_profile /onexec -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   change_profile /onexec -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   change_profile /onexec -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   change_profile /onexec -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   change_profile /onexec -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   change_profile /onexec -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   change_profile /onexec -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   change_profile /onexec -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   change_profile /onexec -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   change_profile /onexec -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   change_profile /onexec -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   change_profile /onexec -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   change_profile /onexec -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   change_profile /onexec -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_4.sd
new file mode 100644
index 000000000..ebcdbfab4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_4.sd
@@ -0,0 +1,51 @@
+#
+#=DESCRIPTION change_profile /onexec with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+/usr/bin/foo {
+   change_profile /onexec -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   change_profile /onexec -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   change_profile /onexec -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   change_profile /onexec -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   change_profile /onexec -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   change_profile /onexec -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   change_profile /onexec -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   change_profile /onexec -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   change_profile /onexec -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   change_profile /onexec -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_5.sd
new file mode 100644
index 000000000..e87a9550e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_5.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION change_profile /onexec with just res
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   change_profile /onexec -> *,
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> **,
+}
+
+/usr/bin/foo3 {
+   change_profile /onexec -> ?,
+}
+
+/usr/bin/foo4 {
+   change_profile /onexec -> [ab],
+}
+
+/usr/bin/foo5 {
+   change_profile /onexec -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_6.sd
new file mode 100644
index 000000000..31dbafcd4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_6.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION change_profile /onexec with just res, child profile
+#=EXRESULT PASS
+#
+
+/usr/bin/foo {
+   change_profile /onexec -> *//ab,
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> **//ab,
+}
+
+/usr/bin/foo3 {
+   change_profile /onexec -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   change_profile /onexec -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   change_profile /onexec -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   change_profile /onexec -> ab//*,
+}
+
+/usr/bin/foo7 {
+   change_profile /onexec -> ab//**,
+}
+
+/usr/bin/foo8 {
+   change_profile /onexec -> ab//?,
+}
+
+/usr/bin/foo9 {
+   change_profile /onexec -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   change_profile /onexec -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   change_profile /onexec -> *//*,
+}
+
+/usr/bin/foo12 {
+   change_profile /onexec -> **//*,
+}
+
+/usr/bin/foo13 {
+   change_profile /onexec -> ?//*,
+}
+
+/usr/bin/foo14 {
+   change_profile /onexec -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   change_profile /onexec -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_7.sd
new file mode 100644
index 000000000..44362fc98
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_7.sd
@@ -0,0 +1,65 @@
+#
+#=DESCRIPTION change_profile /onexec with just re, namespace
+#=EXRESULT PASS
+#
+
+
+/usr/bin/foo {
+   change_profile /onexec -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   change_profile /onexec -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   change_profile /onexec -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   change_profile /onexec -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   change_profile /onexec -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   change_profile /onexec -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   change_profile /onexec -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   change_profile /onexec -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   change_profile /onexec -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   change_profile /onexec -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   change_profile /onexec -> :*:*,
+}
+
+/usr/bin/foo12 {
+   change_profile /onexec -> :**:**,
+}
+
+/usr/bin/foo13 {
+   change_profile /onexec -> :?:?,
+}
+
+/usr/bin/foo14 {
+   change_profile /onexec -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   change_profile /onexec -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onx_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onx_re_ok_8.sd
new file mode 100644
index 000000000..bce3aa369
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onx_re_ok_8.sd
@@ -0,0 +1,45 @@
+#
+#=DESCRIPTION change_profile /onexec re with quotes
+#=EXRESULT PASS
+#
+
+/usr/bin/foo5 {
+   change_profile /onexec -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   change_profile /onexec -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   change_profile /onexec -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   change_profile /onexec -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   change_profile /onexec -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   change_profile /onexec -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   change_profile /onexec -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   change_profile /onexec -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   change_profile /onexec -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   change_profile /onexec -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_a_bare_ok_1.sd
new file mode 100644
index 000000000..ad82ece1b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_1.sd
new file mode 100644
index 000000000..bdfb5fdf2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_2.sd
new file mode 100644
index 000000000..6044b6700
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_3.sd
new file mode 100644
index 000000000..a0e5d51c9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_4.sd
new file mode 100644
index 000000000..30d10153a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_5.sd
new file mode 100644
index 000000000..0d0448eb0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_6.sd
new file mode 100644
index 000000000..8d252a588
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_7.sd
new file mode 100644
index 000000000..10a3878ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_a_ok_8.sd
new file mode 100644
index 000000000..34b23ddc1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_1.sd
new file mode 100644
index 000000000..6b0ed1a6d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_2.sd
new file mode 100644
index 000000000..029c75aec
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION audit change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_3.sd
new file mode 100644
index 000000000..4dbbefb7e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION audit change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_4.sd
new file mode 100644
index 000000000..353156038
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION audit change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_5.sd
new file mode 100644
index 000000000..2b33e1af3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION audit change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+   audit change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_6.sd
new file mode 100644
index 000000000..3ec2ded8e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_7.sd
new file mode 100644
index 000000000..71b3788eb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   audit change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_8.sd
new file mode 100644
index 000000000..592bf30be
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_a_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION audit change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+   audit change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_1.sd
new file mode 100644
index 000000000..45d29a595
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_1.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> /bin/foo,
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_2.sd
new file mode 100644
index 000000000..c8874a76a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_3.sd
new file mode 100644
index 000000000..5f87bea40
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_4.sd
new file mode 100644
index 000000000..f26f200cc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_5.sd
new file mode 100644
index 000000000..80ecf7537
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_6.sd
new file mode 100644
index 000000000..6576b2c3a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_7.sd
new file mode 100644
index 000000000..bd316fa6b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_8.sd
new file mode 100644
index 000000000..3b3abfad7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_1.sd
new file mode 100644
index 000000000..5cc7e349e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_2.sd
new file mode 100644
index 000000000..c8874a76a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_3.sd
new file mode 100644
index 000000000..5f87bea40
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_4.sd
new file mode 100644
index 000000000..acf2fcba7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_5.sd
new file mode 100644
index 000000000..5c904ce33
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_6.sd
new file mode 100644
index 000000000..923c89cfd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_7.sd
new file mode 100644
index 000000000..a6c8984ab
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   audit allow owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_8.sd
new file mode 100644
index 000000000..ec3a7fecf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_aao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   audit allow owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_bare_ok_1.sd
new file mode 100644
index 000000000..66f6391d1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_1.sd
new file mode 100644
index 000000000..b2da7649c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_2.sd
new file mode 100644
index 000000000..78028d684
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_3.sd
new file mode 100644
index 000000000..60ea5ec0d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_4.sd
new file mode 100644
index 000000000..2d2b3b6c7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_5.sd
new file mode 100644
index 000000000..faeee8001
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_6.sd
new file mode 100644
index 000000000..41b670e70
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_7.sd
new file mode 100644
index 000000000..cfa8ce90c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_8.sd
new file mode 100644
index 000000000..de43c8dae
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_1.sd
new file mode 100644
index 000000000..9e340ce7f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION audit deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_2.sd
new file mode 100644
index 000000000..f2767fca8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_3.sd
new file mode 100644
index 000000000..0fe239ea8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   audit deny change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_4.sd
new file mode 100644
index 000000000..1037f01bf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_5.sd
new file mode 100644
index 000000000..88dc5b559
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_6.sd
new file mode 100644
index 000000000..ab287b167
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_7.sd
new file mode 100644
index 000000000..3b8e70c66
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   audit deny change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   audit deny change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   audit deny change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   audit deny change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_8.sd
new file mode 100644
index 000000000..6e039d04b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ad_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION audit deny change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+   audit deny change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   audit deny change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   audit deny change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   audit deny change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   audit deny change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   audit deny change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   audit deny change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   audit deny change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   audit deny change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   audit deny change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_1.sd
new file mode 100644
index 000000000..998235584
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_2.sd
new file mode 100644
index 000000000..540cb65ef
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_3.sd
new file mode 100644
index 000000000..714eabd4f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_4.sd
new file mode 100644
index 000000000..2c5eb03dc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_5.sd
new file mode 100644
index 000000000..def29078e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_6.sd
new file mode 100644
index 000000000..804d973a4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_7.sd
new file mode 100644
index 000000000..1fe8cccdb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_8.sd
new file mode 100644
index 000000000..cb4dfb72e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_bare_bad_1.sd
new file mode 100644
index 000000000..4869019d2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_1.sd
new file mode 100644
index 000000000..fbc79475f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_2.sd
new file mode 100644
index 000000000..540cb65ef
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_3.sd
new file mode 100644
index 000000000..714eabd4f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_4.sd
new file mode 100644
index 000000000..712eeafb4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_5.sd
new file mode 100644
index 000000000..8bcc07b5e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_6.sd
new file mode 100644
index 000000000..05641e844
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_7.sd
new file mode 100644
index 000000000..a8ca795b9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   audit deny owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_8.sd
new file mode 100644
index 000000000..14f801dca
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ado_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   audit deny owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_1.sd
new file mode 100644
index 000000000..5558d09dd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION allow change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_2.sd
new file mode 100644
index 000000000..4d609c83a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION allow change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_3.sd
new file mode 100644
index 000000000..5f08c956d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION allow change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_4.sd
new file mode 100644
index 000000000..03e6a5578
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_5.sd
new file mode 100644
index 000000000..626805405
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION allow change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_6.sd
new file mode 100644
index 000000000..68347009b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION allow change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_7.sd
new file mode 100644
index 000000000..152c1e1fc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION allow change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_8.sd
new file mode 100644
index 000000000..d17857df9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION allow change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_1.sd
new file mode 100644
index 000000000..6c20308d8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION allow change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_2.sd
new file mode 100644
index 000000000..0f79b51f0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION allow change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   allow change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   allow change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   allow change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   allow change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   allow change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_3.sd
new file mode 100644
index 000000000..c0efad1cb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION allow change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   allow change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   allow change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   allow change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   allow change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   allow change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   allow change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   allow change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   allow change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   allow change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   allow change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   allow change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_4.sd
new file mode 100644
index 000000000..1b15eab12
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION allow change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   allow change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   allow change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   allow change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   allow change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   allow change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   allow change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_5.sd
new file mode 100644
index 000000000..458206839
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION allow change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+   allow change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_6.sd
new file mode 100644
index 000000000..a22a4d3b3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION allow change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+   allow change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   allow change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   allow change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+   allow change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+   allow change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+   allow change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   allow change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   allow change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+   allow change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+   allow change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   allow change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_7.sd
new file mode 100644
index 000000000..9e625b3cb
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION allow change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   allow change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   allow change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   allow change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   allow change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   allow change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   allow change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   allow change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   allow change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   allow change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   allow change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+   allow change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+   allow change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+   allow change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   allow change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_8.sd
new file mode 100644
index 000000000..577c6f55f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_allow_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION allow change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+   allow change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   allow change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   allow change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   allow change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   allow change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   allow change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   allow change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   allow change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   allow change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   allow change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_1.sd
new file mode 100644
index 000000000..d34b0511d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_2.sd
new file mode 100644
index 000000000..e874142a3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_3.sd
new file mode 100644
index 000000000..b83addccc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_4.sd
new file mode 100644
index 000000000..e04e3ec1a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_5.sd
new file mode 100644
index 000000000..6f3abfe5b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_6.sd
new file mode 100644
index 000000000..5d80b087b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_7.sd
new file mode 100644
index 000000000..f8e1e3272
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_8.sd
new file mode 100644
index 000000000..3adbe1d7d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_bare_bad_1.sd
new file mode 100644
index 000000000..9431b1836
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_1.sd
new file mode 100644
index 000000000..d58d557fd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_2.sd
new file mode 100644
index 000000000..e874142a3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_3.sd
new file mode 100644
index 000000000..b83addccc
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_4.sd
new file mode 100644
index 000000000..a4794d030
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_5.sd
new file mode 100644
index 000000000..15474aa3a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_6.sd
new file mode 100644
index 000000000..da1546d4b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_7.sd
new file mode 100644
index 000000000..b13e8ab96
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   audit owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_8.sd
new file mode 100644
index 000000000..7f3bc7867
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ao_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   audit owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_bare_ok_1.sd
new file mode 100644
index 000000000..d510a9cd1
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_d_bare_ok_1.sd
new file mode 100644
index 000000000..d9fe63a28
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_bare_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_1.sd
new file mode 100644
index 000000000..1dbbd25a4
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_2.sd
new file mode 100644
index 000000000..89bae60d7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_3.sd
new file mode 100644
index 000000000..c1707ab9b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_4.sd
new file mode 100644
index 000000000..9f13bee49
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_5.sd
new file mode 100644
index 000000000..add3b5169
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_6.sd
new file mode 100644
index 000000000..32b7ad58c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_7.sd
new file mode 100644
index 000000000..ff76f0ea3
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_d_ok_8.sd
new file mode 100644
index 000000000..1ba48547d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_1.sd
new file mode 100644
index 000000000..6bc441d9c
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION deny change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_2.sd
new file mode 100644
index 000000000..8d2008bae
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION deny change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   deny change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   deny change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   deny change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   deny change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   deny change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_3.sd
new file mode 100644
index 000000000..c5a0e6bff
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION deny change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   deny change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   deny change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   deny change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   deny change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   deny change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   deny change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   deny change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   deny change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   deny change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   deny change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   deny change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_4.sd
new file mode 100644
index 000000000..75ebc61e9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION deny change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   deny change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   deny change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   deny change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   deny change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   deny change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   deny change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_5.sd
new file mode 100644
index 000000000..be35cad04
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION deny change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+   deny change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_6.sd
new file mode 100644
index 000000000..54d3f8c7f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION deny change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+   deny change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   deny change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   deny change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+   deny change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+   deny change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+   deny change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   deny change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   deny change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+   deny change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+   deny change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   deny change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_7.sd
new file mode 100644
index 000000000..29a34c8d2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION deny change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   deny change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   deny change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   deny change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   deny change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   deny change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   deny change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   deny change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   deny change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   deny change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   deny change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+   deny change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+   deny change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+   deny change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   deny change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_8.sd
new file mode 100644
index 000000000..94c9192b0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_d_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION deny change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+   deny change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   deny change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   deny change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   deny change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   deny change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   deny change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   deny change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   deny change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   deny change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   deny change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_1.sd
new file mode 100644
index 000000000..9fd49f8fe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_2.sd
new file mode 100644
index 000000000..6f309533d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_3.sd
new file mode 100644
index 000000000..1db27952b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_4.sd
new file mode 100644
index 000000000..e85d3bdff
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_5.sd
new file mode 100644
index 000000000..a376567f0
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_6.sd
new file mode 100644
index 000000000..b8f3a8a77
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_7.sd
new file mode 100644
index 000000000..1247deb4e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bad_8.sd
new file mode 100644
index 000000000..0f243e0bf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_da_bare_bad_1.sd
new file mode 100644
index 000000000..e60f05c5e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit in wrong order
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_1.sd
new file mode 100644
index 000000000..35e88d48d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_1.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> /bin/*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_2.sd
new file mode 100644
index 000000000..6f309533d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_3.sd
new file mode 100644
index 000000000..1db27952b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_4.sd
new file mode 100644
index 000000000..1fe984724
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_5.sd
new file mode 100644
index 000000000..c924fffe7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_6.sd
new file mode 100644
index 000000000..b43b7a105
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_7.sd
new file mode 100644
index 000000000..209bae6bf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   deny audit change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_8.sd
new file mode 100644
index 000000000..1c9abf1bf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_da_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION deny audit is wrong order for prefixes
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   deny audit change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_1.sd
new file mode 100644
index 000000000..b5c7aa103
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_2.sd
new file mode 100644
index 000000000..b9698b0da
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_3.sd
new file mode 100644
index 000000000..1817d034d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_4.sd
new file mode 100644
index 000000000..80b599312
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_5.sd
new file mode 100644
index 000000000..4f15f19bd
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_6.sd
new file mode 100644
index 000000000..9992c38b9
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_7.sd
new file mode 100644
index 000000000..198a3e46b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bad_8.sd
new file mode 100644
index 000000000..6bfce7cba
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_do_bare_bad_1.sd
new file mode 100644
index 000000000..647d1287b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_1.sd
new file mode 100644
index 000000000..4c26beb9a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_2.sd
new file mode 100644
index 000000000..b9698b0da
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_3.sd
new file mode 100644
index 000000000..1817d034d
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_4.sd
new file mode 100644
index 000000000..e64ba0058
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_5.sd
new file mode 100644
index 000000000..21999c291
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_6.sd
new file mode 100644
index 000000000..0b77c8e8e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_7.sd
new file mode 100644
index 000000000..a6ca518f5
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   deny owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_8.sd
new file mode 100644
index 000000000..3a78dfc96
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_do_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   deny owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_1.sd
new file mode 100644
index 000000000..083e0c4ea
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_2.sd
new file mode 100644
index 000000000..c93cdb00a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_3.sd
new file mode 100644
index 000000000..b95da0e13
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_4.sd
new file mode 100644
index 000000000..e5c903a88
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_5.sd
new file mode 100644
index 000000000..79565e8fe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_6.sd
new file mode 100644
index 000000000..437ff6d91
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_6.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> "/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_7.sd
new file mode 100644
index 000000000..bfbefaa3b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_7.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> "/bin/foo//bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bad_8.sd
new file mode 100644
index 000000000..e98b8b898
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> ":foo:/bin/foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_o_bare_bad_1.sd
new file mode 100644
index 000000000..725267009
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_bare_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var},
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_1.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_1.sd
new file mode 100644
index 000000000..d699e5c88
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> /bin/*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_2.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_2.sd
new file mode 100644
index 000000000..c93cdb00a
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_3.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_3.sd
new file mode 100644
index 000000000..b95da0e13
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_4.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_4.sd
new file mode 100644
index 000000000..0b6241150
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_4.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> @{LIBVIRT}-fo*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_5.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_5.sd
new file mode 100644
index 000000000..5cd70d049
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> *,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_6.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_6.sd
new file mode 100644
index 000000000..9642418ba
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> *//ab,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_7.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_7.sd
new file mode 100644
index 000000000..6d84fdaaf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_7.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   owner change_profile @{var} -> :ab:*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_8.sd b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_8.sd
new file mode 100644
index 000000000..8d4f32eb7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_o_re_bad_8.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION owner not allowed in change_profile rule
+#=EXRESULT FAIL
+#
+
+/usr/bin/foo5 {
+   owner change_profile @{var} -> "/bin/*",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_1.sd
new file mode 100644
index 000000000..87a1e94e7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> /bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_2.sd
new file mode 100644
index 000000000..d70c7514f
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> /bin/foo//bar,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_3.sd
new file mode 100644
index 000000000..c4bc9affe
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_3.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> :foo:/bin/foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_4.sd
new file mode 100644
index 000000000..babb0939b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_4.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> @{LIBVIRT}-foo,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_5.sd
new file mode 100644
index 000000000..f98414768
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_5.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION change_profile @{var} with variable+regex (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_6.sd
new file mode 100644
index 000000000..af14894f8
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_6.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION change_profile @{var} with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> "/bin/foo",
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> "/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_7.sd
new file mode 100644
index 000000000..94921314e
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_7.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION change_profile @{var} to a hat with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> "/bin/foo//bar",
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> "/bin/foo// bar",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_ok_8.sd
new file mode 100644
index 000000000..797398a76
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_ok_8.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION change_profile @{var} with name space with quotes
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> ":foo:/bin/foo",
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> ":foo:/bin/ foo",
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_1.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_1.sd
new file mode 100644
index 000000000..7c103cce2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_1.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION change_profile @{var}
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> /bin/*,
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> /bin/**,
+}
+
+/usr/bin/foo3 {
+   change_profile @{var} -> /bin/?,
+}
+
+/usr/bin/foo4 {
+   change_profile @{var} -> /bin/[ab],
+}
+
+/usr/bin/foo5 {
+   change_profile @{var} -> /bin/[^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_2.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_2.sd
new file mode 100644
index 000000000..09e48e7ec
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_2.sd
@@ -0,0 +1,70 @@
+#
+#=DESCRIPTION change_profile @{var} to a hat
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> /bin/foo//bar,
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> /bin/foo//ba*,
+}
+
+/usr/bin/foo3 {
+   change_profile @{var} -> /bin/foo//ba**,
+}
+
+/usr/bin/foo4 {
+   change_profile @{var} -> /bin/foo//ba?,
+}
+
+/usr/bin/foo5 {
+   change_profile @{var} -> /bin/foo//ba[ab],
+}
+
+/usr/bin/foo6 {
+   change_profile @{var} -> /bin/foo//ba[^ab],
+}
+
+/usr/bin/foo7 {
+   change_profile @{var} -> /bin/fo*//bar,
+}
+
+/usr/bin/foo8 {
+   change_profile @{var} -> /bin/fo**//bar,
+}
+
+/usr/bin/foo9 {
+   change_profile @{var} -> /bin/fo?//bar,
+}
+
+/usr/bin/foo10 {
+   change_profile @{var} -> /bin/fo[ab]//bar,
+}
+
+/usr/bin/foo11 {
+   change_profile @{var} -> /bin/fo[^ab]//bar,
+}
+
+/usr/bin/foo12 {
+   change_profile @{var} -> /bin/fo*//ba*,
+}
+
+/usr/bin/foo13 {
+   change_profile @{var} -> /bin/fo**//ba**,
+}
+
+/usr/bin/foo14 {
+   change_profile @{var} -> /bin/fo?//ba?,
+}
+
+/usr/bin/foo15 {
+   change_profile @{var} -> /bin/fo[ab]//ba[ab],
+}
+
+/usr/bin/foo16 {
+   change_profile @{var} -> /bin/fo[^ab]//ba[^ab],
+}
+
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_3.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_3.sd
new file mode 100644
index 000000000..44e38cdb7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_3.sd
@@ -0,0 +1,68 @@
+#
+#=DESCRIPTION change_profile @{var} with name space
+#=EXRESULT PASS
+#
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> :foo:/bin/foo,
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> :foo:/bin/fo*,
+}
+
+/usr/bin/foo3 {
+   change_profile @{var} -> :foo:/bin/fo**,
+}
+
+/usr/bin/foo4 {
+   change_profile @{var} -> :foo:/bin/fo?,
+}
+
+/usr/bin/foo5 {
+   change_profile @{var} -> :foo:/bin/fo[ab],
+}
+
+/usr/bin/foo6 {
+   change_profile @{var} -> :foo:/bin/fo[^ab],
+}
+
+/usr/bin/foo7 {
+   change_profile @{var} -> :fo*:/bin/foo,
+}
+
+/usr/bin/foo8 {
+   change_profile @{var} -> :fo**:/bin/foo,
+}
+
+/usr/bin/foo9 {
+   change_profile @{var} -> :fo?:/bin/foo,
+}
+
+/usr/bin/foo10 {
+   change_profile @{var} -> :fo[ab]:/bin/foo,
+}
+
+/usr/bin/foo11 {
+   change_profile @{var} -> :fo[^ab]:/bin/foo,
+}
+
+/usr/bin/foo12 {
+   change_profile @{var} -> :fo*:/bin/fo*,
+}
+
+/usr/bin/foo13 {
+   change_profile @{var} -> :fo**:/bin/fo**,
+}
+
+/usr/bin/foo14 {
+   change_profile @{var} -> :fo?:/bin/fo?,
+}
+
+/usr/bin/foo15 {
+   change_profile @{var} -> :fo[ab]:/bin/fo[ab],
+}
+
+/usr/bin/foo16 {
+   change_profile @{var} -> :fo[^ab]:/bin/fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_4.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_4.sd
new file mode 100644
index 000000000..99f246228
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_4.sd
@@ -0,0 +1,52 @@
+#
+#=DESCRIPTION change_profile @{var} with a variable (LP: #390810)
+#=EXRESULT PASS
+#
+
+@{LIBVIRT}="libvirt"
+@{LIBVIRT_RE}="libvirt*"
+
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> @{LIBVIRT}-fo*,
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> @{LIBVIRT}-fo**,
+}
+
+/usr/bin/foo3 {
+   change_profile @{var} -> @{LIBVIRT}-fo[ab],
+}
+
+/usr/bin/foo4 {
+   change_profile @{var} -> @{LIBVIRT}-fo[^ab],
+}
+
+/usr/bin/foo5 {
+   change_profile @{var} -> @{LIBVIRT}-fo?,
+}
+
+/usr/bin/foo6 {
+   change_profile @{var} -> @{LIBVIRT_RE}-foo,
+}
+
+/usr/bin/foo7 {
+   change_profile @{var} -> @{LIBVIRT_RE}-fo*,
+}
+
+/usr/bin/foo8 {
+   change_profile @{var} -> @{LIBVIRT_RE}-fo**,
+}
+
+/usr/bin/foo9 {
+   change_profile @{var} -> @{LIBVIRT_RE}-fo?,
+}
+
+/usr/bin/foo10 {
+   change_profile @{var} -> @{LIBVIRT_RE}-fo[ab],
+}
+
+/usr/bin/foo11 {
+   change_profile @{var} -> @{LIBVIRT_RE}-fo[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_5.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_5.sd
new file mode 100644
index 000000000..40d1d5b3b
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_5.sd
@@ -0,0 +1,26 @@
+#
+#=DESCRIPTION change_profile @{var} with just res
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> *,
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> **,
+}
+
+/usr/bin/foo3 {
+   change_profile @{var} -> ?,
+}
+
+/usr/bin/foo4 {
+   change_profile @{var} -> [ab],
+}
+
+/usr/bin/foo5 {
+   change_profile @{var} -> [^ab],
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_6.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_6.sd
new file mode 100644
index 000000000..ca4590ebf
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_6.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION change_profile @{var} with just res, child profile
+#=EXRESULT PASS
+#
+
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> *//ab,
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> **//ab,
+}
+
+/usr/bin/foo3 {
+   change_profile @{var} -> ?//ab,
+}
+
+/usr/bin/foo4 {
+   change_profile @{var} -> [ab]//ab,
+}
+
+/usr/bin/foo5 {
+   change_profile @{var} -> [^ab]//ab,
+}
+
+/usr/bin/foo6 {
+   change_profile @{var} -> ab//*,
+}
+
+/usr/bin/foo7 {
+   change_profile @{var} -> ab//**,
+}
+
+/usr/bin/foo8 {
+   change_profile @{var} -> ab//?,
+}
+
+/usr/bin/foo9 {
+   change_profile @{var} -> ab//[ab],
+}
+
+/usr/bin/foo10 {
+   change_profile @{var} -> ab//[^ab],
+}
+
+/usr/bin/foo11 {
+   change_profile @{var} -> *//*,
+}
+
+/usr/bin/foo12 {
+   change_profile @{var} -> **//*,
+}
+
+/usr/bin/foo13 {
+   change_profile @{var} -> ?//*,
+}
+
+/usr/bin/foo14 {
+   change_profile @{var} -> [ab]//*,
+}
+
+/usr/bin/foo15 {
+   change_profile @{var} -> [^ab]//*,
+}
+
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_7.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_7.sd
new file mode 100644
index 000000000..7d7cdfd63
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_7.sd
@@ -0,0 +1,66 @@
+#
+#=DESCRIPTION change_profile @{var} with just re, namespace
+#=EXRESULT PASS
+#
+
+
+@{var}=/test
+/usr/bin/foo {
+   change_profile @{var} -> :ab:*,
+}
+
+/usr/bin/foo2 {
+   change_profile @{var} -> :ab:**,
+}
+
+/usr/bin/foo3 {
+   change_profile @{var} -> :ab:?,
+}
+
+/usr/bin/foo4 {
+   change_profile @{var} -> :ab:[ab],
+}
+
+/usr/bin/foo5 {
+   change_profile @{var} -> :ab:[^ab],
+}
+
+/usr/bin/foo6 {
+   change_profile @{var} -> :*:ab,
+}
+
+/usr/bin/foo7 {
+   change_profile @{var} -> :**:ab,
+}
+
+/usr/bin/foo8 {
+   change_profile @{var} -> :?:ab,
+}
+
+/usr/bin/foo9 {
+   change_profile @{var} -> :[ab]:ab,
+}
+
+/usr/bin/foo10 {
+   change_profile @{var} -> :[^ab]:ab,
+}
+
+/usr/bin/foo11 {
+   change_profile @{var} -> :*:*,
+}
+
+/usr/bin/foo12 {
+   change_profile @{var} -> :**:**,
+}
+
+/usr/bin/foo13 {
+   change_profile @{var} -> :?:?,
+}
+
+/usr/bin/foo14 {
+   change_profile @{var} -> :[ab]:[ab],
+}
+
+/usr/bin/foo15 {
+   change_profile @{var} -> :[^ab]:[^ab],
+}
diff --git a/parser/tst/simple_tests/change_profile/onxvar_re_ok_8.sd b/parser/tst/simple_tests/change_profile/onxvar_re_ok_8.sd
new file mode 100644
index 000000000..33eb727b7
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/onxvar_re_ok_8.sd
@@ -0,0 +1,47 @@
+#
+#=DESCRIPTION change_profile @{var} re with quotes
+#=EXRESULT PASS
+#
+
+@{var}=/test
+
+/usr/bin/foo5 {
+   change_profile @{var} -> "/bin/*",
+}
+
+/usr/bin/foo6 {
+   change_profile @{var} -> "/bin/**",
+}
+
+/usr/bin/foo7 {
+   change_profile @{var} -> "/bin/[ab]",
+}
+
+/usr/bin/foo8 {
+   change_profile @{var} -> "/bin/[^ab]",
+}
+
+/usr/bin/foo10 {
+   change_profile @{var} -> "/bin/?ab",
+}
+
+/usr/bin/foo11 {
+   change_profile @{var} -> "/bin/ *",
+}
+
+/usr/bin/foo12 {
+   change_profile @{var} -> "/bin/ **",
+}
+
+/usr/bin/foo13 {
+   change_profile @{var} -> "/bin/ [ab]",
+}
+
+/usr/bin/foo14 {
+   change_profile @{var} -> "/bin/ [^ab]",
+}
+
+/usr/bin/foo15 {
+   change_profile @{var} -> "/bin/ ?ab",
+}
+
diff --git a/parser/tst/simple_tests/conditional/stress_1.sd b/parser/tst/simple_tests/conditional/stress_1.sd
index f2d6218d5..689c78490 100644
--- a/parser/tst/simple_tests/conditional/stress_1.sd
+++ b/parser/tst/simple_tests/conditional/stress_1.sd
@@ -1,4 +1,4 @@
-#=DESCRIPTON simple stress test nested ifs
+#=DESCRIPTION simple stress test nested ifs
 #=EXRESULT PASS
 $a1 = true
 $a2 = true
diff --git a/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
new file mode 100644
index 000000000..e806a2057
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link @{var} -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_deny_link.sd b/parser/tst/simple_tests/file/var1_ok_deny_link.sd
new file mode 100644
index 000000000..8074a4e77
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link @{var} -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_1.sd b/parser/tst/simple_tests/file/var1_ok_link_1.sd
new file mode 100644
index 000000000..9ea1db037
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  @{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_2.sd b/parser/tst/simple_tests/file/var1_ok_link_2.sd
new file mode 100644
index 000000000..fae61f69b
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link @{var} -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_3.sd b/parser/tst/simple_tests/file/var1_ok_link_3.sd
new file mode 100644
index 000000000..3dccf987b
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset @{var} -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
new file mode 100644
index 000000000..03f26009c
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link @{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd b/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
new file mode 100644
index 000000000..063c6eddd
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link @{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_1.sd b/parser/tst/simple_tests/file/var1_src_ok_link_1.sd
new file mode 100644
index 000000000..9ea1db037
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  @{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_2.sd b/parser/tst/simple_tests/file/var1_src_ok_link_2.sd
new file mode 100644
index 000000000..d02822c90
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link @{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_3.sd b/parser/tst/simple_tests/file/var1_src_ok_link_3.sd
new file mode 100644
index 000000000..c48af606a
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset @{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
new file mode 100644
index 000000000..9c5a08c1e
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /alpha/beta -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd b/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
new file mode 100644
index 000000000..03c4bb648
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /alpha/beta -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_1.sd b/parser/tst/simple_tests/file/var1_target_ok_link_1.sd
new file mode 100644
index 000000000..7841cb342
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /alpha/beta rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_2.sd b/parser/tst/simple_tests/file/var1_target_ok_link_2.sd
new file mode 100644
index 000000000..219a56ee2
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /alpha/beta -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_3.sd b/parser/tst/simple_tests/file/var1_target_ok_link_3.sd
new file mode 100644
index 000000000..aecf731b8
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /alpha/beta -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
new file mode 100644
index 000000000..3f7211bdf
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /foo@{var} -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_deny_link.sd b/parser/tst/simple_tests/file/var2_ok_deny_link.sd
new file mode 100644
index 000000000..eed94b94b
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /foo@{var} -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_1.sd b/parser/tst/simple_tests/file/var2_ok_link_1.sd
new file mode 100644
index 000000000..fe1b2dcf8
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /foo@{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_2.sd b/parser/tst/simple_tests/file/var2_ok_link_2.sd
new file mode 100644
index 000000000..7d496b9c2
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /foo@{var} -> /foo@{var},
+  /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_3.sd b/parser/tst/simple_tests/file/var2_ok_link_3.sd
new file mode 100644
index 000000000..026b8aa87
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /foo@{var} -> /foo@{var},
+  /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
new file mode 100644
index 000000000..2d880b19c
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /foo@{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd b/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
new file mode 100644
index 000000000..a6c4bace6
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /foo@{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_1.sd b/parser/tst/simple_tests/file/var2_src_ok_link_1.sd
new file mode 100644
index 000000000..fe1b2dcf8
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /foo@{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_2.sd b/parser/tst/simple_tests/file/var2_src_ok_link_2.sd
new file mode 100644
index 000000000..5bc6ef81c
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /foo@{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_3.sd b/parser/tst/simple_tests/file/var2_src_ok_link_3.sd
new file mode 100644
index 000000000..0bdd95fc4
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /foo@{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
new file mode 100644
index 000000000..675c3e85b
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /alpha/beta -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd b/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
new file mode 100644
index 000000000..83321243f
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /alpha/beta -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_1.sd b/parser/tst/simple_tests/file/var2_target_ok_link_1.sd
new file mode 100644
index 000000000..7841cb342
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /alpha/beta rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_2.sd b/parser/tst/simple_tests/file/var2_target_ok_link_2.sd
new file mode 100644
index 000000000..5ca93a7d2
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /alpha/beta -> /foo@{var},
+  /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_3.sd b/parser/tst/simple_tests/file/var2_target_ok_link_3.sd
new file mode 100644
index 000000000..db366003f
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /alpha/beta -> /foo@{var},
+  /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad_debug_1.sd b/parser/tst/simple_tests/profile/flags/flags_bad_debug_1.sd
new file mode 100644
index 000000000..633e0f9fc
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad_debug_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION Ensure debug flag is no longer accepted
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(debug) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}
+
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad_debug_2.sd b/parser/tst/simple_tests/profile/flags/flags_bad_debug_2.sd
new file mode 100644
index 000000000..70710a867
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad_debug_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION Ensure debug flag is no longer accepted
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exist2 flags=(audit,debug) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist2 r,
+}
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad_debug_3.sd b/parser/tst/simple_tests/profile/flags/flags_bad_debug_3.sd
new file mode 100644
index 000000000..028862221
--- /dev/null
+++ b/parser/tst/simple_tests/profile/flags/flags_bad_debug_3.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION Ensure debug flag is no longer accepted
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exist3 flags=(debug,complain) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist5 r,
+}
+
diff --git a/parser/tst/simple_tests/profile/flags/flags_bad.sd b/parser/tst/simple_tests/profile/flags/flags_bad_debug_4.sd
similarity index 51%
rename from parser/tst/simple_tests/profile/flags/flags_bad.sd
rename to parser/tst/simple_tests/profile/flags/flags_bad_debug_4.sd
index bcd8c641c..9f3c5255f 100644
--- a/parser/tst/simple_tests/profile/flags/flags_bad.sd
+++ b/parser/tst/simple_tests/profile/flags/flags_bad_debug_4.sd
@@ -4,20 +4,6 @@
 # vim:syntax=subdomain
 # Last Modified: Sun Apr 17 19:44:44 2005
 #
-/does/not/exist flags=(debug) {
-  /usr/X11R6/lib/lib*so* r,
-  /does/not/exist r,
-}
-
-/does/not/exist2 flags=(audit,debug) {
-  /usr/X11R6/lib/lib*so* r,
-  /does/not/exist2 r,
-}
-
-/does/not/exist3 flags=(debug,complain) {
-  /usr/X11R6/lib/lib*so* r,
-  /does/not/exist5 r,
-}
 
 /does/not/exist4 flags=(audit,complain) {
   /usr/X11R6/lib/lib*so* r,
diff --git a/parser/tst/simple_tests/signal/rtsig_01.sd b/parser/tst/simple_tests/signal/rtsig_01.sd
index 2b8feb28a..a4c90d048 100644
--- a/parser/tst/simple_tests/signal/rtsig_01.sd
+++ b/parser/tst/simple_tests/signal/rtsig_01.sd
@@ -1,6 +1,6 @@
 #
 #=DESCRIPTION simple rtsig test
-#=EXRESULT=PASS
+#=EXRESULT PASS
 #
 
 /usr/bin/signal-test {
diff --git a/parser/tst/simple_tests/signal/rtsig_02.sd b/parser/tst/simple_tests/signal/rtsig_02.sd
index 8abab4649..3bba6dcf4 100644
--- a/parser/tst/simple_tests/signal/rtsig_02.sd
+++ b/parser/tst/simple_tests/signal/rtsig_02.sd
@@ -1,6 +1,6 @@
 #
 #=DESCRIPTION simple rtsig test
-#=EXRESULT=PASS
+#=EXRESULT PASS
 #
 
 /usr/bin/signal-test {
diff --git a/parser/tst/simple_tests/vars/vars_assignment_reference_1.sd b/parser/tst/simple_tests/vars/vars_assignment_reference_1.sd
index 5196d8d29..87ee4fe05 100644
--- a/parser/tst/simple_tests/vars/vars_assignment_reference_1.sd
+++ b/parser/tst/simple_tests/vars/vars_assignment_reference_1.sd
@@ -1,5 +1,5 @@
 #=DESCRIPTION set variable assignment using set variable as rvalue
-#=EXRESULT
+#=EXRESULT PASS
 
 @{FOO}=bar baz
 @{BAR}=${FOO} blort
diff --git a/profiles/Makefile b/profiles/Makefile
index 4b2764995..44abdd719 100644
--- a/profiles/Makefile
+++ b/profiles/Makefile
@@ -85,7 +85,7 @@ CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS}, $(wildcard ${PROFILES_SO
 check: check-parser
 
 .PHONY: check-parser
-check-parser:
+check-parser: local
 	@echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser"
 	$(Q)for profile in ${CHECK_PROFILES} ; do \
 	        [ -n "${VERBOSE}" ] && echo "Testing $${profile}" ; \
@@ -93,6 +93,6 @@ check-parser:
 	done
 
 .PHONY: check-logprof
-check-logprof:
+check-logprof: local
 	@echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof"
 	$(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1
diff --git a/profiles/apparmor.d/abstractions/samba b/profiles/apparmor.d/abstractions/samba
index 87e0b2d15..87a6f90bb 100644
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@@ -13,7 +13,7 @@
   /usr/share/samba/*.dat r,
   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
   /var/cache/samba/ w,
-  /var/lib/samba/**.tdb rwk,
+  /var/lib/samba/** rwk,
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/log.* w,
diff --git a/profiles/apparmor.d/usr.sbin.ntpd b/profiles/apparmor.d/usr.sbin.ntpd
index e7a403d14..d1c3f6f98 100644
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 #include <tunables/ntpd>
-/usr/sbin/ntpd {
+/usr/sbin/ntpd flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/openssl>
diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
index 5a3e214ff..497d1a5ab 100644
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -10,8 +10,12 @@
   capability ipc_lock,
   capability setuid,
 
+  /etc/samba/netlogon_creds_cli.tdb rwk,
   /etc/samba/passdb.tdb{,.tmp} rwk,
   /etc/samba/secrets.tdb rwk,
+  /etc/samba/smbd.tmp/ rw,
+  /etc/samba/smbd.tmp/msg/ rw,
+  /etc/samba/smbd.tmp/msg/* rw,
   @{PROC}/sys/kernel/core_pattern r,
   /tmp/.winbindd/ w,
   /tmp/krb5cc_* rwk,
@@ -21,9 +25,6 @@
   /usr/sbin/winbindd mr,
   /var/cache/krb5rcache/* rw,
   /var/cache/samba/*.tdb rwk,
-  /var/lib/samba/smb_krb5/krb5.conf.* rw,
-  /var/lib/samba/smb_tmp_krb5.* rw,
-  /var/lib/samba/winbindd_cache.tdb* rwk,
   /var/log/samba/log.winbindd rw,
   /{var/,}run/samba/winbindd.pid rwk,
   /{var/,}run/samba/winbindd/ rw,
diff --git a/profiles/apparmor/profiles/extras/usr.lib.postfix.master b/profiles/apparmor/profiles/extras/usr.lib.postfix.master
index 30bf3a5b0..359f46c54 100644
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.master
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.master
@@ -21,7 +21,7 @@
   capability dac_override,
 
   /etc/postfix/master.cf                       r,
-  /{var/spool/postfix/,}pid/master.pid            rw,
+  /{var/spool/postfix/,}pid/master.pid            rwk,
   /{var/spool/postfix/,}private/*                 wl,
   /{var/spool/postfix/,}private/tlsmgr            rwl,
   /{var/spool/postfix/,}public/{cleanup,flush,pickup,qmgr,showq,tlsmgr} rwl,
diff --git a/tests/regression/apparmor/aa_policy_cache.c b/tests/regression/apparmor/aa_policy_cache.c
index b08fd1f8d..d243f06c4 100644
--- a/tests/regression/apparmor/aa_policy_cache.c
+++ b/tests/regression/apparmor/aa_policy_cache.c
@@ -16,111 +16,45 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
 #include <sys/apparmor.h>
 
-#define OPT_CREATE		"create"
-#define OPT_IS_VALID		"is-valid"
 #define OPT_NEW			"new"
-#define OPT_NEW_CREATE		"new-create"
 #define OPT_REMOVE		"remove"
 #define OPT_REMOVE_POLICY	"remove-policy"
 #define OPT_REPLACE_ALL		"replace-all"
+#define OPT_FLAG_MAX_CACHES	"--max-caches"
 
 static void usage(const char *prog)
 {
 	fprintf(stderr,
-		"FAIL - usage: %s %s <PATH>\n"
-		"              %s %s <PATH>\n"
-		"              %s %s <PATH>\n"
-		"              %s %s <PATH>\n"
+		"FAIL - usage: %s %s [%s N] <PATH>\n"
 		"              %s %s <PATH>\n"
 		"              %s %s <PROFILE_NAME>\n"
-		"              %s %s <PATH>\n",
-		prog, OPT_CREATE, prog, OPT_IS_VALID, prog, OPT_NEW,
-		prog, OPT_NEW_CREATE, prog, OPT_REMOVE, prog, OPT_REMOVE_POLICY,
-		prog, OPT_REPLACE_ALL);
+		"              %s %s [%s N] <PATH>\n",
+		prog, OPT_NEW, OPT_FLAG_MAX_CACHES,
+		prog, OPT_REMOVE,
+		prog, OPT_REMOVE_POLICY,
+		prog, OPT_REPLACE_ALL, OPT_FLAG_MAX_CACHES);
 }
 
-static int test_create(const char *path)
+static int test_new(const char *path, uint16_t max_caches)
 {
-	aa_features *features = NULL;
 	aa_policy_cache *policy_cache = NULL;
 	int rc = 1;
 
-	if (aa_features_new_from_kernel(&features)) {
-		perror("FAIL - aa_features_new_from_kernel");
-		goto out;
-	}
-
-	if (aa_policy_cache_new(&policy_cache, features, path, false)) {
-		perror("FAIL - aa_policy_cache_new");
-		goto out;
-	}
-
-	if (aa_policy_cache_create(policy_cache)) {
-		perror("FAIL - aa_policy_cache_create");
-		goto out;
-	}
-
-	rc = 0;
-out:
-	aa_features_unref(features);
-	aa_policy_cache_unref(policy_cache);
-	return rc;
-}
-
-static int test_is_valid(const char *path)
-{
-	aa_features *features = NULL;
-	aa_policy_cache *policy_cache = NULL;
-	int rc = 1;
-
-	if (aa_features_new_from_kernel(&features)) {
-		perror("FAIL - aa_features_new_from_kernel");
-		goto out;
-	}
-
-	if (aa_policy_cache_new(&policy_cache, features, path, false)) {
-		perror("FAIL - aa_policy_cache_new");
-		goto out;
-	}
-
-	if (!aa_policy_cache_is_valid(policy_cache)) {
-		errno = EINVAL;
-		perror("FAIL - aa_policy_cache_is_valid");
-		goto out;
-	}
-
-	rc = 0;
-out:
-	aa_features_unref(features);
-	aa_policy_cache_unref(policy_cache);
-	return rc;
-}
-
-static int test_new(const char *path, bool create)
-{
-	aa_features *features = NULL;
-	aa_policy_cache *policy_cache = NULL;
-	int rc = 1;
-
-	if (aa_features_new_from_kernel(&features)) {
-		perror("FAIL - aa_features_new_from_kernel");
-		goto out;
-	}
-
-	if (aa_policy_cache_new(&policy_cache, features, path, create)) {
+	if (aa_policy_cache_new(&policy_cache, NULL,
+				AT_FDCWD, path, max_caches)) {
 		perror("FAIL - aa_policy_cache_new");
 		goto out;
 	}
 
 	rc = 0;
 out:
-	aa_features_unref(features);
 	aa_policy_cache_unref(policy_cache);
 	return rc;
 }
@@ -129,7 +63,7 @@ static int test_remove(const char *path)
 {
 	int rc = 1;
 
-	if (aa_policy_cache_remove(path)) {
+	if (aa_policy_cache_remove(AT_FDCWD, path)) {
 		perror("FAIL - aa_policy_cache_remove");
 		goto out;
 	}
@@ -141,16 +75,10 @@ out:
 
 static int test_remove_policy(const char *name)
 {
-	aa_features *features = NULL;
 	aa_kernel_interface *kernel_interface = NULL;
 	int rc = 1;
 
-	if (aa_features_new_from_kernel(&features)) {
-		perror("FAIL - aa_features_new_from_kernel");
-		goto out;
-	}
-
-	if (aa_kernel_interface_new(&kernel_interface, features, NULL)) {
+	if (aa_kernel_interface_new(&kernel_interface, NULL, NULL)) {
 		perror("FAIL - aa_kernel_interface_new");
 		goto out;
 	}
@@ -163,22 +91,16 @@ static int test_remove_policy(const char *name)
 	rc = 0;
 out:
 	aa_kernel_interface_unref(kernel_interface);
-	aa_features_unref(features);
 	return rc;
 }
 
-static int test_replace_all(const char *path)
+static int test_replace_all(const char *path, uint16_t max_caches)
 {
-	aa_features *features = NULL;
 	aa_policy_cache *policy_cache = NULL;
 	int rc = 1;
 
-	if (aa_features_new_from_kernel(&features)) {
-		perror("FAIL - aa_features_new_from_kernel");
-		goto out;
-	}
-
-	if (aa_policy_cache_new(&policy_cache, features, path, false)) {
+	if (aa_policy_cache_new(&policy_cache, NULL,
+				AT_FDCWD, path, max_caches)) {
 		perror("FAIL - aa_policy_cache_new");
 		goto out;
 	}
@@ -190,34 +112,51 @@ static int test_replace_all(const char *path)
 
 	rc = 0;
 out:
-	aa_features_unref(features);
 	aa_policy_cache_unref(policy_cache);
 	return rc;
 }
 
 int main(int argc, char **argv)
 {
+	uint16_t max_caches = 0;
+	const char *str = NULL;
 	int rc = 1;
 
-	if (argc != 3) {
+	if (!(argc == 3 || argc == 5)) {
 		usage(argv[0]);
 		exit(1);
 	}
 
-	if (strcmp(argv[1], OPT_CREATE) == 0) {
-		rc = test_create(argv[2]);
-	} else if (strcmp(argv[1], OPT_IS_VALID) == 0) {
-		rc = test_is_valid(argv[2]);
-	} else if (strcmp(argv[1], OPT_NEW) == 0) {
-		rc = test_new(argv[2], false);
-	} else if (strcmp(argv[1], OPT_NEW_CREATE) == 0) {
-		rc = test_new(argv[2], true);
-	} else if (strcmp(argv[1], OPT_REMOVE) == 0) {
-		rc = test_remove(argv[2]);
-	} else if (strcmp(argv[1], OPT_REMOVE_POLICY) == 0) {
-		rc = test_remove_policy(argv[2]);
+	str = argv[argc - 1];
+
+	if (argc == 5) {
+		unsigned long tmp;
+
+		errno = 0;
+		tmp = strtoul(argv[3], NULL, 10);
+		if ((errno == ERANGE && tmp == ULONG_MAX) ||
+		    (errno && tmp == 0)) {
+			perror("FAIL - strtoul");
+			exit(1);
+		}
+
+		if (tmp > UINT16_MAX) {
+			fprintf(stderr, "FAIL - %lu larger than UINT16_MAX\n",
+				tmp);
+			exit(1);
+		}
+
+		max_caches = tmp;
+	}
+
+	if (strcmp(argv[1], OPT_NEW) == 0) {
+		rc = test_new(str, max_caches);
+	} else if (strcmp(argv[1], OPT_REMOVE) == 0 && argc == 3) {
+		rc = test_remove(str);
+	} else if (strcmp(argv[1], OPT_REMOVE_POLICY) == 0 && argc == 3) {
+		rc = test_remove_policy(str);
 	} else if (strcmp(argv[1], OPT_REPLACE_ALL) == 0) {
-		rc = test_replace_all(argv[2]);
+		rc = test_replace_all(str, max_caches);
 	} else {
 		usage(argv[0]);
 	}
diff --git a/tests/regression/apparmor/aa_policy_cache.sh b/tests/regression/apparmor/aa_policy_cache.sh
index fb9a830e1..dfb75a8c9 100755
--- a/tests/regression/apparmor/aa_policy_cache.sh
+++ b/tests/regression/apparmor/aa_policy_cache.sh
@@ -36,7 +36,7 @@ remove_cachedir()
 
 create_empty_cache()
 {
-	$test new-create "$cachedir" > /dev/null
+	$test new --max-caches 1 "$cachedir" > /dev/null
 }
 
 create_cache_files()
@@ -105,28 +105,18 @@ runchecktest "AA_POLICY_CACHE new (no cachedir)" fail new "$cachedir"
 create_cachedir
 runchecktest "AA_POLICY_CACHE new (no .features)" fail new "$cachedir"
 remove_cachedir
-runchecktest "AA_POLICY_CACHE new-create (no cachedir)" pass new-create "$cachedir"
-runchecktest "AA_POLICY_CACHE new-create (existing cache)" pass new-create "$cachedir"
+runchecktest "AA_POLICY_CACHE new create (no cachedir)" pass new --max-caches 1 "$cachedir"
+runchecktest "AA_POLICY_CACHE new create (existing cache)" pass new --max-caches 1 "$cachedir"
 runchecktest "AA_POLICY_CACHE new (existing cache)" pass new "$cachedir"
 
-runchecktest "AA_POLICY_CACHE is-valid (good .features)" pass is-valid "$cachedir"
 install_bad_features_file
-runchecktest "AA_POLICY_CACHE is-valid (bad .features)" fail is-valid "$cachedir"
-remove_cachedir
-runchecktest "AA_POLICY_CACHE is-valid (no cachedir)" fail is-valid "$cachedir"
-
-create_cachedir
-install_bad_features_file
-runchecktest "AA_POLICY_CACHE create (bad .features)" pass create "$cachedir"
-runchecktest "AA_POLICY_CACHE create (good .features)" pass create "$cachedir"
-remove_features_file
-runchecktest "AA_POLICY_CACHE create (no .features)" fail create "$cachedir"
-remove_cachedir
-runchecktest "AA_POLICY_CACHE create (no cachedir)" fail create "$cachedir"
+runchecktest "AA_POLICY_CACHE new (bad .features)" fail new "$cachedir"
+runchecktest "AA_POLICY_CACHE new create (bad .features)" pass new --max-caches 1 "$cachedir"
 
 # Make sure that no test policies are already loaded
 verify_policies_are_not_loaded
 
+remove_cachedir
 runchecktest "AA_POLICY_CACHE replace-all (no cachedir)" fail replace-all "$cachedir"
 create_cachedir
 runchecktest "AA_POLICY_CACHE replace-all (no .features)" fail replace-all "$cachedir"
diff --git a/tests/regression/apparmor/capabilities.sh b/tests/regression/apparmor/capabilities.sh
index 1b5044529..74a3c9024 100644
--- a/tests/regression/apparmor/capabilities.sh
+++ b/tests/regression/apparmor/capabilities.sh
@@ -97,7 +97,7 @@ for TEST in ${TESTS} ; do
 
 	# no capabilities allowed
 	genprofile ${my_entries}
-	if [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ] ; then
+	if [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ] ; then
 	    # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
 	    # capability + ptrace rule needed between pids
 	    runchecktest "${TEST} -- no caps" pass ${my_arg}
@@ -113,7 +113,7 @@ for TEST in ${TESTS} ; do
 	for cap in ${CAPABILITIES} ; do
 		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
 			expected_result=pass
-		elif [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ]; then
+		elif [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ]; then
 			expected_result=pass
 		else
 			expected_result=fail
@@ -126,7 +126,7 @@ for TEST in ${TESTS} ; do
 	# a subprofile.
 	settest ${testwrapper}
 	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
-	if [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ] ; then
+	if [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ] ; then
 	    # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
 	    # capability + ptrace rule needed between pids
 	    runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg}
@@ -141,7 +141,7 @@ for TEST in ${TESTS} ; do
 	for cap in ${CAPABILITIES} ; do
 		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
 			expected_result=pass
-		elif [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ]; then
+		elif [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ]; then
 			expected_result=pass
 		else
 			expected_result=fail
diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh
index fe26b9114..a7f21552f 100755
--- a/tests/regression/apparmor/dbus_eavesdrop.sh
+++ b/tests/regression/apparmor/dbus_eavesdrop.sh
@@ -18,7 +18,8 @@ pwd=`cd $pwd ; /bin/pwd`
 bin=$pwd
 
 . $bin/prologue.inc
-requires_features dbus
+requires_kernel_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 args="--session"
diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh
index 30b159245..27807c429 100755
--- a/tests/regression/apparmor/dbus_message.sh
+++ b/tests/regression/apparmor/dbus_message.sh
@@ -18,7 +18,8 @@ pwd=`cd $pwd ; /bin/pwd`
 bin=$pwd
 
 . $bin/prologue.inc
-requires_features dbus
+requires_kernel_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh
index 451a6612a..5cd698a28 100755
--- a/tests/regression/apparmor/dbus_service.sh
+++ b/tests/regression/apparmor/dbus_service.sh
@@ -17,7 +17,8 @@ pwd=`cd $pwd ; /bin/pwd`
 bin=$pwd
 
 . $bin/prologue.inc
-requires_features dbus
+requires_kernel_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 service="--$bus --name=$dest $path $iface"
diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh
index 1cfd8d403..e69c8b458 100644
--- a/tests/regression/apparmor/dbus_unrequested_reply.sh
+++ b/tests/regression/apparmor/dbus_unrequested_reply.sh
@@ -17,7 +17,8 @@ pwd=`cd $pwd ; /bin/pwd`
 bin=$pwd
 
 . $bin/prologue.inc
-requires_features dbus
+requires_kernel_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 service="--$bus --name=$dest $path $iface"
diff --git a/tests/regression/apparmor/deleted.sh b/tests/regression/apparmor/deleted.sh
index 84a51fc40..9ca937f6d 100755
--- a/tests/regression/apparmor/deleted.sh
+++ b/tests/regression/apparmor/deleted.sh
@@ -65,7 +65,7 @@ okperm=rwl
 badperm=wl
 af_unix=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	af_unix="unix:create"
 fi
 
diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
index 86bfecb17..8dc1a88ed 100755
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -102,7 +102,7 @@ runchecktest "UMOUNT (confined no perm)" fail umount ${loop_device} ${mount_poin
 remove_mnt
 
 
-if [ "$(have_features mount)" != "true" ] ; then
+if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
 	genprofile capability:sys_admin
 	runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
 	remove_mnt
diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh
index e63456fcc..72bc7361f 100755
--- a/tests/regression/apparmor/named_pipe.sh
+++ b/tests/regression/apparmor/named_pipe.sh
@@ -38,7 +38,7 @@ badchild=r
 # Add genprofile params that are common to all hats here
 common=""
 
-if [ "$(have_features signal)" == "true" ] ; then
+if [ "$(kernel_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
 	# Allow send/receive of all signals
 	common="${common} signal:ALL"
 fi
diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
index 35004fc9b..b68f6cf52 100755
--- a/tests/regression/apparmor/pivot_root.sh
+++ b/tests/regression/apparmor/pivot_root.sh
@@ -106,8 +106,8 @@ do_test "unconfined, bad context" fail "$put_old" "$new_root" "$bad"
 genprofile
 do_test "no perms" fail "$put_old" "$new_root" "$test"
 
-if [ "$(have_features mount)" != "true" ] ; then
-	# pivot_root mediation isn't supported by this kernel, so verify that
+if [ "$(kernel_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
+	# pivot_root mediation isn't supported by this kernel/parser, so verify that
 	# capability sys_admin is sufficient and skip the remaining tests
 	genprofile $cur $cap
 	do_test "cap" pass "$put_old" "$new_root" "$test"
diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
index 3036cbbf5..f6707ab6e 100755
--- a/tests/regression/apparmor/prologue.inc
+++ b/tests/regression/apparmor/prologue.inc
@@ -22,7 +22,7 @@
 # For this file, functions are first, entry point code is at end, see "MAIN"
 
 #use $() to retreive the failure message or "true" if success
-have_features()
+kernel_features()
 {
 	if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
 		echo "Kernel feature masks not supported."
@@ -40,9 +40,9 @@ have_features()
 	return 0;
 }
 
-requires_features()
+requires_kernel_features()
 {
-	local res=$(have_features $@)
+	local res=$(kernel_features $@)
 	if [ "$res" != "true" ] ; then
 		echo "$res. Skipping tests ..."
 		exit 0
@@ -58,6 +58,30 @@ requires_query_interface()
 	fi
 }
 
+parser_supports()
+{
+	for R in $@ ; do
+		echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null
+		if [ $? -ne 0 ] ; then
+			echo "Compiler does not support rule '$R'"
+			return 1;
+		fi
+	done
+
+	echo "true"
+	return 0;
+}
+
+requires_parser_support()
+{
+	local res=$(parser_supports $@)
+	if [ "$res" != "true" ] ; then
+		echo "$res. Skipping tests ..."
+		exit 0
+	fi
+}
+
+
 fatalerror()
 {
 	# global _fatal
diff --git a/tests/regression/apparmor/ptrace.c b/tests/regression/apparmor/ptrace.c
index a9dd78512..797ff2f2f 100644
--- a/tests/regression/apparmor/ptrace.c
+++ b/tests/regression/apparmor/ptrace.c
@@ -7,7 +7,9 @@
 #include <sys/ptrace.h>
 #include <signal.h>
 #include <sys/user.h>
+#include <sys/uio.h>
 #include <errno.h>
+#include <elf.h>
 
 #define NUM_CHLD_SYSCALLS 10
 
@@ -34,10 +36,50 @@ int interp_status(int status)
 	return rc;
 }
 
+#ifdef PTRACE_GETREGSET
+#  if defined(__x86_64__) || defined(__i386__)
+#    define ARCH_REGS_STRUCT struct user_regs_struct
+#  elif defined(__aarch64__)
+#    define ARCH_REGS_STRUCT struct user_pt_regs
+#  elif defined(__arm__) || defined(__powerpc__) || defined(__powerpc64__)
+#    define ARCH_REGS_STRUCT struct pt_regs
+#  endif
+
+int read_ptrace_registers(pid_t pid)
+{
+	ARCH_REGS_STRUCT regs;
+	struct iovec iov;
+
+	iov.iov_base = &regs;
+	iov.iov_len = sizeof(regs);
+
+	memset(&regs, 0, sizeof(regs));
+	if (ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov) == -1) {
+		perror("FAIL:  parent ptrace(PTRACE_GETREGS) failed - ");
+		return errno;
+	}
+
+	return 0;
+}
+#else /* ! PTRACE_GETREGSET so use PTRACE_GETREGS instead */
+int read_ptrace_registers(pid_t pid)
+{
+	struct user regs;
+
+	memset(&regs, 0, sizeof(regs));
+	if (ptrace(PTRACE_GETREGS, pid, NULL, &regs) == -1) {
+		perror("FAIL:  parent ptrace(PTRACE_GETREGS) failed - ");
+		return errno;
+	}
+
+	return 0;
+}
+#endif
+
+
 /* return 0 on success.  Child failure -errorno, parent failure errno */
 int do_parent(pid_t pid, int trace, int num_syscall)
 {
-	struct user regs;
 	int status, i;
 	unsigned int rc;
 
@@ -88,11 +130,9 @@ int do_parent(pid_t pid, int trace, int num_syscall)
 		if (!WIFSTOPPED(status))
 			return interp_status(status);
 	
-		memset(&regs, 0, sizeof(regs));
-		if (ptrace(PTRACE_GETREGS, pid, NULL, &regs) == -1) {
-			perror("FAIL:  parent ptrace(PTRACE_GETREGS) failed - ");
-			return errno;
-		}
+		rc = read_ptrace_registers(pid);
+		if (rc != 0)
+			return rc;
 	}
 
 	if (ptrace(PTRACE_DETACH, pid, NULL, NULL) == -1) {
diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh
index 64cdf2412..c33634795 100755
--- a/tests/regression/apparmor/ptrace.sh
+++ b/tests/regression/apparmor/ptrace.sh
@@ -52,7 +52,7 @@ runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true
 runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
 
 
-if [ "$(have_features ptrace)" == "true" ] ; then
+if [ "$(kernel_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
 	. $bin/ptrace_v6.inc
 else
 	. $bin/ptrace_v5.inc
diff --git a/tests/regression/apparmor/query_label.c b/tests/regression/apparmor/query_label.c
index be945cbd8..bf8dfe936 100644
--- a/tests/regression/apparmor/query_label.c
+++ b/tests/regression/apparmor/query_label.c
@@ -12,6 +12,53 @@
 #define OPT_TYPE_DBUS		"--dbus="
 #define OPT_TYPE_DBUS_LEN	strlen(OPT_TYPE_DBUS)
 
+#define OPT_TYPE_FILE		"--file="
+#define OPT_TYPE_FILE_LEN	strlen(OPT_TYPE_FILE)
+
+#ifndef AA_CLASS_FILE
+#define AA_CLASS_FILE		2
+#endif
+
+#ifndef AA_MAY_EXEC
+#define AA_MAY_EXEC		(1 << 0)
+#endif
+
+#ifndef AA_MAY_WRITE
+#define AA_MAY_WRITE		(1 << 1)
+#endif
+
+#ifndef AA_MAY_READ
+#define AA_MAY_READ		(1 << 2)
+#endif
+
+#ifndef AA_MAY_APPEND
+#define AA_MAY_APPEND		(1 << 3)
+#endif
+
+#ifndef AA_MAY_LINK
+#define AA_MAY_LINK		(1 << 4)
+#endif
+
+#ifndef AA_MAY_LOCK
+#define AA_MAY_LOCK		(1 << 5)
+#endif
+
+#ifndef AA_EXEC_MMAP
+#define AA_EXEC_MMAP		(1 << 6)
+#endif
+
+#ifndef AA_EXEC_PUX
+#define AA_EXEC_PUX		(1 << 7)
+#endif
+
+#ifndef AA_EXEC_UNSAFE
+#define AA_EXEC_UNSAFE		(1 << 8)
+#endif
+
+#ifndef AA_EXEC_INHERIT
+#define AA_EXEC_INHERIT		(1 << 9)
+#endif
+
 static char *progname = NULL;
 
 void usage(void)
@@ -26,9 +73,11 @@ void usage(void)
 	fprintf(stderr, "  LABEL\t\tThe AppArmor label to use in the query\n");
 	fprintf(stderr, "  CLASS\t\tThe rule class and may consist of:\n");
 	fprintf(stderr, "\t\t  dbus\n");
+	fprintf(stderr, "\t\t  file\n");
 	fprintf(stderr, "  PERMS\t\tA comma separated list of permissions. Possibilities\n");
 	fprintf(stderr, "\t\tfor the supported rule classes are:\n");
 	fprintf(stderr, "\t\t  dbus: send,receive,bind\n");
+	fprintf(stderr, "\t\t  file: exec,write,read,append,link,lock,exec_mmap,exec_pux,exec_unsafe,exec_inherit\n");
 	fprintf(stderr, "\t\tAdditionaly, PERMS can be empty to indicate an empty mask\n");
 	exit(1);
 }
@@ -83,6 +132,45 @@ static int parse_dbus_perms(uint32_t *mask, char *perms)
 	return 0;
 }
 
+static int parse_file_perms(uint32_t *mask, char *perms)
+{
+	char *perm;
+
+	*mask = 0;
+
+	perm = strtok(perms, ",");
+	while (perm) {
+		if (!strcmp(perm, "exec"))
+			*mask |= AA_MAY_EXEC;
+		else if (!strcmp(perm, "write"))
+			*mask |= AA_MAY_WRITE;
+		else if (!strcmp(perm, "read"))
+			*mask |= AA_MAY_READ;
+		else if (!strcmp(perm, "append"))
+			*mask |= AA_MAY_APPEND;
+		else if (!strcmp(perm, "link"))
+			*mask |= AA_MAY_LINK;
+		else if (!strcmp(perm, "lock"))
+			*mask |= AA_MAY_LOCK;
+		else if (!strcmp(perm, "exec_mmap"))
+			*mask |= AA_EXEC_MMAP;
+		else if (!strcmp(perm, "exec_pux"))
+			*mask |= AA_EXEC_PUX;
+		else if (!strcmp(perm, "exec_unsafe"))
+			*mask |= AA_EXEC_UNSAFE;
+		else if (!strcmp(perm, "exec_inherit"))
+			*mask |= AA_EXEC_INHERIT;
+		else {
+			fprintf(stderr, "FAIL: unknown perm: %s\n", perm);
+			return 1;
+		}
+
+		perm = strtok(NULL, ",");
+	}
+
+	return 0;
+}
+
 static ssize_t build_query(char **qstr, const char *label, int class,
 			   int argc, char **argv)
 {
@@ -149,6 +237,11 @@ int main(int argc, char **argv)
 		rc = parse_dbus_perms(&mask, class_str + OPT_TYPE_DBUS_LEN);
 		if (rc)
 			usage();
+	} else if (!strncmp(class_str, OPT_TYPE_FILE, OPT_TYPE_FILE_LEN)) {
+		class = AA_CLASS_FILE;
+		rc = parse_file_perms(&mask, class_str + OPT_TYPE_FILE_LEN);
+		if (rc)
+			usage();
 	} else {
 		fprintf(stderr, "FAIL: unknown rule class: %s\n", class_str);
 		usage();
diff --git a/tests/regression/apparmor/query_label.sh b/tests/regression/apparmor/query_label.sh
index 92e588e0a..01ec6d139 100755
--- a/tests/regression/apparmor/query_label.sh
+++ b/tests/regression/apparmor/query_label.sh
@@ -23,7 +23,8 @@ settest query_label
 
 expect=""
 perms=""
-label="--label=$test"
+qprof="/profile/to/query"
+label="--label=$qprof"
 
 dbus_send="--dbus=send"
 dbus_receive="--dbus=receive"
@@ -35,13 +36,16 @@ dbus_none="--dbus="
 dbus_msg_query="session com.foo.bar /usr/bin/bar /com/foo/bar com.foo.bar Method"
 dbus_svc_query="session com.foo.baz"
 
-# Generate a profile for $test, granting all file access and anything specified
-# in $@
+# Generate a profile for $test, granting all file accesses, and $qprof,
+# granting anything specified in $@.
 genqueryprofile()
 {
 	genprofile --stdin <<EOF
 $test {
   file,
+}
+
+$qprof {
   $@
 }
 EOF
@@ -205,3 +209,35 @@ perms dbus send
 querytest "QUERY dbus (svc send)" fail $dbus_svc_query
 perms dbus receive
 querytest "QUERY dbus (svc receive)" fail $dbus_svc_query
+
+genqueryprofile "file,"
+expect allow
+perms file exec,write,read,append,link,lock
+querytest "QUERY file (all base perms #1)" pass /anything
+querytest "QUERY file (all base perms #2)" pass /everything
+
+genqueryprofile "/etc/passwd r,"
+expect allow
+perms file read
+querytest "QUERY file (passwd)" pass /etc/passwd
+querytest "QUERY file (passwd bad path #1)" fail /etc/pass
+querytest "QUERY file (passwd bad path #2)" fail /etc/passwdXXX
+querytest "QUERY file (passwd bad path #3)" fail /etc/passwd/XXX
+perms file write
+querytest "QUERY file (passwd bad perms #1)" fail /etc/passwd
+perms file read,write
+querytest "QUERY file (passwd bad perms #2)" fail /etc/passwd
+
+genqueryprofile "/tmp/ rw,"
+expect allow
+perms file read,write
+querytest "QUERY file (/tmp/)" pass /tmp/
+querytest "QUERY file (/tmp/ bad path)" fail /tmp
+querytest "QUERY file (/tmp/ bad path)" fail /tmp/tmp/
+perms file read
+querytest "QUERY file (/tmp/ read only)" pass /tmp/
+perms file write
+querytest "QUERY file (/tmp/ write only)" pass /tmp/
+expect audit
+perms file read,write
+querytest "QUERY file (/tmp/ wrong dir)" pass /etc/
diff --git a/tests/regression/apparmor/socketpair.c b/tests/regression/apparmor/socketpair.c
index 2959ed32f..491907f2a 100644
--- a/tests/regression/apparmor/socketpair.c
+++ b/tests/regression/apparmor/socketpair.c
@@ -55,7 +55,7 @@ static int verify_confinement_context(int fd, const char *fd_name,
 				      const char *expected_mode)
 {
 	char *label, *mode;
-	int rc;
+	int expected_rc, rc;
 
 	rc = aa_getpeercon(fd, &label, &mode);
 	if (rc < 0) {
@@ -64,9 +64,6 @@ static int verify_confinement_context(int fd, const char *fd_name,
 		return 1;
 	}
 
-	if (!mode)
-		mode = NO_MODE;
-
 	if (strcmp(label, expected_label)) {
 		fprintf(stderr,
 			"FAIL - %s: label \"%s\" != expected_label \"%s\"\n",
@@ -75,7 +72,8 @@ static int verify_confinement_context(int fd, const char *fd_name,
 		goto out;
 	}
 
-	if (strcmp(mode, expected_mode)) {
+	if ((!expected_mode && mode) || (expected_mode && !mode) ||
+	    (expected_mode && mode && strcmp(mode, expected_mode))) {
 		fprintf(stderr,
 			"FAIL - %s: mode \"%s\" != expected_mode \"%s\"\n",
 			fd_name, mode, expected_mode);
@@ -83,6 +81,20 @@ static int verify_confinement_context(int fd, const char *fd_name,
 		goto out;
 	}
 
+	expected_rc = strlen(expected_label);
+	if (expected_mode) {
+		/* ' ' + '(' + expected_mode + ')' */
+		expected_rc += 1 + 1 + strlen(expected_mode) + 1;
+	}
+	expected_rc++; /* Trailing NUL terminator */
+
+	if (rc != expected_rc) {
+		fprintf(stderr, "FAIL - %s: rc (%d) != expected_rc (%d)\n",
+			fd_name, rc, expected_rc);
+		rc = 4;
+		goto out;
+	}
+
 	rc = 0;
 out:
 	free(label);
@@ -163,7 +175,7 @@ int main(int argc, char **argv)
 		exit(2);
 
 	expected_label = argv[1];
-	expected_mode = argv[2];
+	expected_mode = !strcmp(argv[2], NO_MODE) ? NULL : argv[2];
 
 	if (verify_confinement_context(pair[0], "pair[0]",
 				       expected_label, expected_mode)) {
diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh
index 378fc0820..423a51d07 100755
--- a/tests/regression/apparmor/socketpair.sh
+++ b/tests/regression/apparmor/socketpair.sh
@@ -34,7 +34,7 @@ af_unix_create=""
 af_unix_create_label=""
 af_unix_inherit=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	# AppArmor requires that the process inheriting the sock file
 	# descriptors have send,receive perms in its profile
 	af_unix_create="unix:(create,getopt)"
diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh
index 73eff1b27..076ca00e7 100755
--- a/tests/regression/apparmor/tcp.sh
+++ b/tests/regression/apparmor/tcp.sh
@@ -15,7 +15,7 @@ pwd=`cd $pwd ; /bin/pwd`
 bin=$pwd
 
 . $bin/prologue.inc
-requires_features network
+requires_kernel_features network
 
 port=34567
 ip="127.0.0.1"
diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh
index b38ec689a..0bba807e9 100755
--- a/tests/regression/apparmor/unix_fd_server.sh
+++ b/tests/regression/apparmor/unix_fd_server.sh
@@ -27,7 +27,7 @@ okperm=rw
 badperm=w
 af_unix=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	af_unix="unix:create"
 fi
 
@@ -137,7 +137,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd
 sleep 1
 rm -f ${socket}
 
-if [ "$(have_features policy/versions/v6)" == "true" ] ; then
+if [ "$(kernel_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
     # FAIL - confined client, no access to the socket file
 
     genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix 
diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh
index 7c14f3e67..21c35e263 100644
--- a/tests/regression/apparmor/unix_socket_abstract.sh
+++ b/tests/regression/apparmor/unix_socket_abstract.sh
@@ -28,8 +28,9 @@ bin=$pwd
 
 . $bin/prologue.inc
 . $bin/unix_socket.inc
-requires_features policy/versions/v7
-requires_features network/af_unix
+requires_kernel_features policy/versions/v7
+requires_kernel_features network/af_unix
+requires_parser_support "unix,"
 
 settest unix_socket
 
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 078e557e1..c14ac9c99 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -27,7 +27,7 @@ pwd=`cd $pwd ; /bin/pwd`
 bin=$pwd
 
 . $bin/prologue.inc
-requires_features policy/versions/v6
+requires_kernel_features policy/versions/v6
 
 settest unix_socket
 
@@ -41,7 +41,7 @@ message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
 okserver=w
 badserver1=r
 badserver2=
-if [ "$(have_features policy/versions/v7)" == "true" ] ; then
+if [ "$(kernel_features policy/versions/v7)" == "true" ] ; then
 	okserver=rw
 	badserver2=w
 fi
@@ -52,7 +52,7 @@ fi
 # af_unix support requires 'unix getattr' to call getsockname()
 af_unix_okserver=
 af_unix_okclient=
-if [ "$(have_features network/af_unix)" == "true" ] ; then
+if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
 	af_unix_okserver="create,setopt"
 	af_unix_okclient="create,getopt,setopt,getattr"
 fi
diff --git a/tests/regression/apparmor/unix_socket_unnamed.sh b/tests/regression/apparmor/unix_socket_unnamed.sh
index 3293fece7..66bea0a5c 100644
--- a/tests/regression/apparmor/unix_socket_unnamed.sh
+++ b/tests/regression/apparmor/unix_socket_unnamed.sh
@@ -28,8 +28,9 @@ bin=$pwd
 
 . $bin/prologue.inc
 . $bin/unix_socket.inc
-requires_features policy/versions/v7
-requires_features network/af_unix
+requires_kernel_features policy/versions/v7
+requires_kernel_features network/af_unix
+requires_parser_support "unix,"
 
 settest unix_socket
 
diff --git a/utils/aa-audit b/utils/aa-audit
index 59bbb547e..885c663bf 100755
--- a/utils/aa-audit
+++ b/utils/aa-audit
@@ -13,10 +13,13 @@
 #
 # ----------------------------------------------------------------------
 import argparse
-import traceback
 
 import apparmor.tools
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
@@ -25,17 +28,10 @@ parser = argparse.ArgumentParser(description=_('Switch the given programs to aud
 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
 parser.add_argument('-r', '--remove', action='store_true', help=_('remove audit mode'))
 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
-parser.add_argument('--trace', action='store_true', help=_('Show full trace'))
+parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not reload the profile after modifying it'))
 args = parser.parse_args()
 
-try:
-    tool = apparmor.tools.aa_tools('audit', args)
+tool = apparmor.tools.aa_tools('audit', args)
 
-    tool.cmd_audit()
+tool.cmd_audit()
 
-except Exception as e:
-    if not args.trace:
-        print(e.value + "\n")
-
-    else:
-        traceback.print_exc()
diff --git a/utils/aa-autodep b/utils/aa-autodep
index d81eb499c..deb5be01c 100755
--- a/utils/aa-autodep
+++ b/utils/aa-autodep
@@ -16,6 +16,10 @@ import argparse
 
 import apparmor.tools
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
diff --git a/utils/aa-cleanprof b/utils/aa-cleanprof
index ed23d3b39..585479f29 100755
--- a/utils/aa-cleanprof
+++ b/utils/aa-cleanprof
@@ -16,6 +16,10 @@ import argparse
 
 import apparmor.tools
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
@@ -24,6 +28,7 @@ parser = argparse.ArgumentParser(description=_('Cleanup the profiles for the giv
 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
 parser.add_argument('-s', '--silent', action='store_true', help=_('Silently overwrite with a clean profile'))
+parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not reload the profile after modifying it'))
 args = parser.parse_args()
 
 clean = apparmor.tools.aa_tools('cleanprof', args)
diff --git a/utils/aa-complain b/utils/aa-complain
index 3435fbb3b..0cf19c5f2 100755
--- a/utils/aa-complain
+++ b/utils/aa-complain
@@ -16,6 +16,10 @@ import argparse
 
 import apparmor.tools
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
@@ -23,6 +27,7 @@ _ = init_translation()
 parser = argparse.ArgumentParser(description=_('Switch the given program to complain mode'))
 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
+parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not reload the profile after modifying it'))
 args = parser.parse_args()
 
 tool = apparmor.tools.aa_tools('complain', args)
diff --git a/utils/aa-disable b/utils/aa-disable
index c12c85a76..49624d21d 100755
--- a/utils/aa-disable
+++ b/utils/aa-disable
@@ -16,6 +16,10 @@ import argparse
 
 import apparmor.tools
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
@@ -23,6 +27,7 @@ _ = init_translation()
 parser = argparse.ArgumentParser(description=_('Disable the profile for the given programs'))
 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
+parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not unload the profile after modifying it'))
 args = parser.parse_args()
 
 tool = apparmor.tools.aa_tools('disable', args)
diff --git a/utils/aa-easyprof b/utils/aa-easyprof
index 8e2c24fcc..93861aefb 100755
--- a/utils/aa-easyprof
+++ b/utils/aa-easyprof
@@ -14,6 +14,10 @@ from apparmor.easyprof import AppArmorException, error
 import os
 import sys
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 if __name__ == "__main__":
     def usage():
         '''Return usage information'''
diff --git a/utils/aa-enforce b/utils/aa-enforce
index 7f39f3e2d..ff1e7f402 100755
--- a/utils/aa-enforce
+++ b/utils/aa-enforce
@@ -16,6 +16,10 @@ import argparse
 
 import apparmor.tools
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
@@ -23,6 +27,7 @@ _ = init_translation()
 parser = argparse.ArgumentParser(description=_('Switch the given program to enforce mode'))
 parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
 parser.add_argument('program', type=str, nargs='+', help=_('name of program'))
+parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not reload the profile after modifying it'))
 args = parser.parse_args()
 
 tool = apparmor.tools.aa_tools('enforce', args)
diff --git a/utils/aa-genprof b/utils/aa-genprof
index 27f6cde00..522908793 100755
--- a/utils/aa-genprof
+++ b/utils/aa-genprof
@@ -23,6 +23,10 @@ import apparmor.aa as apparmor
 import apparmor.ui as aaui
 from apparmor.common import warn
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
diff --git a/utils/aa-logprof b/utils/aa-logprof
index 9ee96770d..5d3cb3f84 100755
--- a/utils/aa-logprof
+++ b/utils/aa-logprof
@@ -17,6 +17,10 @@ import os
 
 import apparmor.aa as apparmor
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
diff --git a/utils/aa-mergeprof b/utils/aa-mergeprof
index 46cfebb0e..a3f5b5dd1 100755
--- a/utils/aa-mergeprof
+++ b/utils/aa-mergeprof
@@ -17,11 +17,18 @@ import re
 import os
 
 import apparmor.aa
+from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes
 import apparmor.aamode
+from apparmor.common import AppArmorException
+from apparmor.regex import re_match_include
 import apparmor.severity
 import apparmor.cleanprofile as cleanprofile
 import apparmor.ui as aaui
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
@@ -43,7 +50,7 @@ profiledir = args.dir
 if profiledir:
     apparmor.aa.profile_dir = apparmor.aa.get_full_path(profiledir)
     if not os.path.isdir(apparmor.aa.profile_dir):
-        raise apparmor.AppArmorException(_("%s is not a directory.") %profiledir)
+        raise AppArmorException(_("%s is not a directory.") %profiledir)
 
 def reset_aa():
     apparmor.aa.aa = apparmor.aa.hasher()
@@ -229,10 +236,13 @@ class Merge(object):
                             return o
                             pass#self.user.aa[profile][hat][allow][path][mode] = (old_mode | new_mode) - (new_mode & conflict_x)
                         else:
-                            raise apparmor.aa.AppArmorException(_('Unknown selection'))
+                            raise AppArmorException(_('Unknown selection'))
                         done = True
 
     def ask_the_questions(self, other, profile):
+        aa = self.user.aa  # keep references so that the code in this function can use the short name
+        changed = apparmor.aa.changed  # (and be more in sync with aa.py ask_the_questions())
+
         if other == 'other':
             other = self.other
         else:
@@ -262,7 +272,7 @@ class Merge(object):
                 done = True
             elif ans == 'CMD_ALLOW':
                 selection = options[selected]
-                inc = apparmor.aa.re_match_include(selection)
+                inc = re_match_include(selection)
                 self.user.filelist[self.user.filename]['include'][inc] = True
                 options.pop(selected)
                 aaui.UI_Info(_('Adding %s to the file.') % selection)
@@ -279,7 +289,7 @@ class Merge(object):
 
             options = []
             for inc in other.aa[profile][hat]['include'].keys():
-                if not inc in self.user.aa[profile][hat]['include'].keys():
+                if not inc in aa[profile][hat]['include'].keys():
                     options.append('#include <%s>' %inc)
 
             default_option = 1
@@ -297,9 +307,9 @@ class Merge(object):
                     done = True
                 elif ans == 'CMD_ALLOW':
                     selection = options[selected]
-                    inc = apparmor.aa.re_match_include(selection)
-                    deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc)
-                    self.user.aa[profile][hat]['include'][inc] = True
+                    inc = re_match_include(selection)
+                    deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc)
+                    aa[profile][hat]['include'][inc] = True
                     options.pop(selected)
                     aaui.UI_Info(_('Adding %s to the file.') % selection)
                     if deleted:
@@ -307,87 +317,16 @@ class Merge(object):
                 elif ans == 'CMD_FINISHED':
                     return
 
-            #Add the capabilities
-            for allow in ['allow', 'deny']:
-                if other.aa[profile][hat].get(allow, False):
-                    continue
-                for capability in sorted(other.aa[profile][hat][allow]['capability'].keys()):
-                    severity = sev_db.rank('CAP_%s' % capability)
-                    default_option = 1
-                    options = []
-                    newincludes = apparmor.aa.match_cap_includes(self.user.aa[profile][hat], capability)
-                    q = aaui.PromptQuestion()
-                    if newincludes:
-                        options += list(map(lambda inc: '#include <%s>' %inc, sorted(set(newincludes))))
-
-                    if options:
-                        options.append('capability %s' % capability)
-                        q.options = options
-                        q.selected = default_option - 1
-
-                    q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
-                    q.headers += [_('Capability'), capability]
-                    q.headers += [_('Severity'), severity]
-
-                    audit_toggle = 0
-
-                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED']
-
-                    q.default = 'CMD_ALLOW'
-
-                    done = False
-                    while not done:
-                        ans, selected = q.promptUser()
-                        # Ignore the log entry
-                        if ans == 'CMD_IGNORE_ENTRY':
-                            done = True
-                            break
-
-                        elif ans == 'CMD_FINISHED':
-                            return
-
-                        if ans == 'CMD_ALLOW':
-                            selection = ''
-                            if options:
-                                selection = options[selected]
-                            match = apparmor.aa.re_match_include(selection)
-                            if match:
-                                deleted = False
-                                inc = match
-                                deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc)
-                                self.user.aa[profile][hat]['include'][inc] = True
-
-                                aaui.UI_Info(_('Adding %s to profile.') % selection)
-                                if deleted:
-                                    aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
-
-                            self.user.aa[profile][hat]['allow']['capability'][capability]['set'] = True
-                            self.user.aa[profile][hat]['allow']['capability'][capability]['audit'] = other.aa[profile][hat]['allow']['capability'][capability]['audit']
-
-                            apparmor.aa.changed[profile] = True
-
-                            aaui.UI_Info(_('Adding capability %s to profile.'), capability)
-                            done = True
-
-                        elif ans == 'CMD_DENY':
-                            self.user.aa[profile][hat]['deny']['capability'][capability]['set'] = True
-                            apparmor.aa.changed[profile] = True
-
-                            aaui.UI_Info(_('Denying capability %s to profile.') % capability)
-                            done = True
-                        else:
-                            done = False
-
             # Process all the path entries.
             for allow in ['allow', 'deny']:
                 for path in sorted(other.aa[profile][hat][allow]['path'].keys()):
                     #print(path, other.aa[profile][hat][allow]['path'][path])
                     mode = other.aa[profile][hat][allow]['path'][path]['mode']
 
-                    if self.user.aa[profile][hat][allow]['path'].get(path, False):
-                        mode = self.conflict_mode(profile, hat, allow, path, 'mode', other.aa[profile][hat][allow]['path'][path]['mode'], self.user.aa[profile][hat][allow]['path'][path]['mode'])
-                        self.conflict_mode(profile, hat, allow, path, 'audit', other.aa[profile][hat][allow]['path'][path]['audit'], self.user.aa[profile][hat][allow]['path'][path]['audit'])
-                        apparmor.aa.changed[profile] = True
+                    if aa[profile][hat][allow]['path'].get(path, False):
+                        mode = self.conflict_mode(profile, hat, allow, path, 'mode', other.aa[profile][hat][allow]['path'][path]['mode'], aa[profile][hat][allow]['path'][path]['mode'])
+                        self.conflict_mode(profile, hat, allow, path, 'audit', other.aa[profile][hat][allow]['path'][path]['audit'], aa[profile][hat][allow]['path'][path]['audit'])
+                        changed[profile] = True
                         continue
                     # Lookup modes from profile
                     allow_mode = set()
@@ -395,25 +334,25 @@ class Merge(object):
                     deny_mode = set()
                     deny_audit = set()
 
-                    fmode, famode, fm = apparmor.aa.rematchfrag(self.user.aa[profile][hat], 'allow', path)
+                    fmode, famode, fm = apparmor.aa.rematchfrag(aa[profile][hat], 'allow', path)
                     if fmode:
                         allow_mode |= fmode
                     if famode:
                         allow_audit |= famode
 
-                    cm, cam, m = apparmor.aa.rematchfrag(self.user.aa[profile][hat], 'deny', path)
+                    cm, cam, m = apparmor.aa.rematchfrag(aa[profile][hat], 'deny', path)
                     if cm:
                         deny_mode |= cm
                     if cam:
                         deny_audit |= cam
 
-                    imode, iamode, im = apparmor.aa.match_prof_incs_to_path(self.user.aa[profile][hat], 'allow', path)
+                    imode, iamode, im = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'allow', path)
                     if imode:
                         allow_mode |= imode
                     if iamode:
                         allow_audit |= iamode
 
-                    cm, cam, m = apparmor.aa.match_prof_incs_to_path(self.user.aa[profile][hat], 'deny', path)
+                    cm, cam, m = apparmor.aa.match_prof_incs_to_path(aa[profile][hat], 'deny', path)
                     if cm:
                         deny_mode |= cm
                     if cam:
@@ -454,7 +393,7 @@ class Merge(object):
                         for incname in apparmor.aa.include.keys():
                             include_valid = False
                             # If already present skip
-                            if self.user.aa[profile][hat][incname]:
+                            if aa[profile][hat][incname]:
                                 continue
                             if incname.startswith(apparmor.aa.profile_dir):
                                 incname = incname.replace(apparmor.aa.profile_dir+'/', '', 1)
@@ -504,7 +443,7 @@ class Merge(object):
                             owner_toggle = apparmor.aa.cfg['settings']['default_owner_prompt']
                         done = False
                         while not done:
-                            q =  aaui.PromptQuestion()
+                            q = aaui.PromptQuestion()
                             q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat),
                                             _('Path'), path]
 
@@ -590,30 +529,29 @@ class Merge(object):
                             elif ans == 'CMD_ALLOW':
                                 path = options[selected]
                                 done = True
-                                match = apparmor.aa.re_match_include(path)
+                                match = re_match_include(path)
                                 if match:
                                     inc = match
-                                    deleted = 0
-                                    deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc)
-                                    self.user.aa[profile][hat]['include'][inc] =  True
-                                    apparmor.aa.changed[profile] =  True
+                                    deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc)
+                                    aa[profile][hat]['include'][inc] = True
+                                    changed[profile] = True
                                     aaui.UI_Info(_('Adding %s to profile.') % path)
                                     if deleted:
                                         aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
 
                                 else:
-                                    if self.user.aa[profile][hat]['allow']['path'][path].get('mode', False):
-                                        mode |= self.user.aa[profile][hat]['allow']['path'][path]['mode']
+                                    if aa[profile][hat]['allow']['path'][path].get('mode', False):
+                                        mode |= aa[profile][hat]['allow']['path'][path]['mode']
                                     deleted = []
-                                    for entry in self.user.aa[profile][hat]['allow']['path'].keys():
+                                    for entry in aa[profile][hat]['allow']['path'].keys():
                                         if path == entry:
                                             continue
 
                                         if apparmor.aa.matchregexp(path, entry):
-                                            if apparmor.aa.mode_contains(mode, self.user.aa[profile][hat]['allow']['path'][entry]['mode']):
+                                            if apparmor.aa.mode_contains(mode, aa[profile][hat]['allow']['path'][entry]['mode']):
                                                 deleted.append(entry)
                                     for entry in deleted:
-                                        self.user.aa[profile][hat]['allow']['path'].pop(entry)
+                                        aa[profile][hat]['allow']['path'].pop(entry)
                                     deleted = len(deleted)
 
                                     if owner_toggle == 0:
@@ -625,19 +563,19 @@ class Merge(object):
                                     elif owner_toggle == 3:
                                         mode = apparmor.aa.owner_flatten_mode(mode)
 
-                                    if not self.user.aa[profile][hat]['allow'].get(path, False):
-                                        self.user.aa[profile][hat]['allow']['path'][path]['mode'] = self.user.aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode
+                                    if not aa[profile][hat]['allow'].get(path, False):
+                                        aa[profile][hat]['allow']['path'][path]['mode'] = aa[profile][hat]['allow']['path'][path].get('mode', set()) | mode
 
 
                                     tmpmode = set()
                                     if audit_toggle == 1:
-                                        tmpmode = mode- allow_mode
+                                        tmpmode = mode - allow_mode
                                     elif audit_toggle == 2:
                                         tmpmode = mode
 
-                                    self.user.aa[profile][hat]['allow']['path'][path]['audit'] = self.user.aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode
+                                    aa[profile][hat]['allow']['path'][path]['audit'] = aa[profile][hat]['allow']['path'][path].get('audit', set()) | tmpmode
 
-                                    apparmor.aa.changed[profile] = True
+                                    changed[profile] = True
 
                                     aaui.UI_Info(_('Adding %(path)s %(mode)s to profile') % { 'path': path, 'mode': apparmor.aa.mode_to_str_user(mode) })
                                     if deleted:
@@ -646,17 +584,17 @@ class Merge(object):
                             elif ans == 'CMD_DENY':
                                 path = options[selected].strip()
                                 # Add new entry?
-                                self.user.aa[profile][hat]['deny']['path'][path]['mode'] = self.user.aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode)
+                                aa[profile][hat]['deny']['path'][path]['mode'] = aa[profile][hat]['deny']['path'][path].get('mode', set()) | (mode - allow_mode)
 
-                                self.user.aa[profile][hat]['deny']['path'][path]['audit'] = self.user.aa[profile][hat]['deny']['path'][path].get('audit', set())
+                                aa[profile][hat]['deny']['path'][path]['audit'] = aa[profile][hat]['deny']['path'][path].get('audit', set())
 
-                                apparmor.aa.changed[profile] = True
+                                changed[profile] = True
 
                                 done = True
 
                             elif ans == 'CMD_NEW':
                                 arg = options[selected]
-                                if not apparmor.aa.re_match_include(arg):
+                                if not re_match_include(arg):
                                     ans = aaui.UI_GetString(_('Enter new path: '), arg)
 #                                         if ans:
 #                                             if not matchliteral(ans, path):
@@ -670,7 +608,7 @@ class Merge(object):
 
                             elif ans == 'CMD_GLOB':
                                 newpath = options[selected].strip()
-                                if not apparmor.aa.re_match_include(newpath):
+                                if not re_match_include(newpath):
                                     newpath = apparmor.aa.glob_path(newpath)
 
                                     if newpath not in options:
@@ -681,7 +619,7 @@ class Merge(object):
 
                             elif ans == 'CMD_GLOBEXT':
                                 newpath = options[selected].strip()
-                                if not apparmor.aa.re_match_include(newpath):
+                                if not re_match_include(newpath):
                                     newpath = apparmor.aa.glob_path_withext(newpath)
 
                                     if newpath not in options:
@@ -693,40 +631,37 @@ class Merge(object):
                             elif re.search('\d', ans):
                                 default_option = ans
 
-            #
-            for allow in ['allow', 'deny']:
-                for family in sorted(other.aa[profile][hat][allow]['netdomain']['rule'].keys()):
-                    # severity handling for net toggles goes here
+            for ruletype in ['capability', 'network', 'change_profile']:
+                if other.aa[profile][hat].get(ruletype, False): # needed until we have proper profile initialization
+                    for rule_obj in other.aa[profile][hat][ruletype].rules:
 
-                    for sock_type in sorted(other.aa[profile][hat][allow]['netdomain']['rule'][family].keys()):
-                        #if apparmor.aa.profile_known_network(self.user.aa[profile][hat], family, sock_type):
-                        #    continue
-                        # disabled for now because it crashes, for details and impact see
-                        # https://bugs.launchpad.net/apparmor/+bug/1382241
+                        if is_known_rule(aa[profile][hat], ruletype, rule_obj):
+                            continue
 
                         default_option = 1
                         options = []
-                        newincludes = apparmor.aa.match_net_includes(self.user.aa[profile][hat], family, sock_type)
+                        newincludes = match_includes(aa[profile][hat], ruletype, rule_obj)
                         q = aaui.PromptQuestion()
                         if newincludes:
-                            options += list(map(lambda s: '#include <%s>'%s, sorted(set(newincludes))))
-                        if True:#options:
-                            options.append('network %s %s' % (family, sock_type))
-                            q.options = options
-                            q.selected = default_option - 1
+                            options += list(map(lambda inc: '#include <%s>' % inc, sorted(set(newincludes))))
 
-                        q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
-                        q.headers += [_('Network Family'), family]
-                        q.headers += [_('Socket Type'), sock_type]
-
-                        audit_toggle = 0
-                        q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
-                                          'CMD_ABORT', 'CMD_FINISHED']
-
-                        q.default = 'CMD_ALLOW'
+                        options.append(rule_obj.get_clean())
+                        q.options = options
+                        q.selected = default_option - 1
 
                         done = False
                         while not done:
+                            q.headers = [_('Profile'), combine_name(profile, hat)]
+                            q.headers += rule_obj.logprof_header()
+
+                            # Load variables into sev_db? Not needed/used for capabilities and network rules.
+                            severity = rule_obj.severity(sev_db)
+                            if severity != sev_db.NOT_IMPLEMENTED:
+                                q.headers += [_('Severity'), severity]
+
+                            q.functions = available_buttons(rule_obj)
+                            q.default = q.functions[0]
+
                             ans, selected = q.promptUser()
                             if ans == 'CMD_IGNORE_ENTRY':
                                 done = True
@@ -735,50 +670,46 @@ class Merge(object):
                             elif ans == 'CMD_FINISHED':
                                 return
 
-                            if ans.startswith('CMD_AUDIT'):
-                                audit_toggle = not audit_toggle
-                                audit = ''
-                                if audit_toggle:
-                                    audit = 'audit'
-                                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_OFF',
-                                                      'CMD_ABORT', 'CMD_FINISHED']
+                            elif ans.startswith('CMD_AUDIT'):
+                                if ans == 'CMD_AUDIT_NEW':
+                                    rule_obj.audit = True
+                                    rule_obj.raw_rule = None
                                 else:
-                                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW',
-                                                      'CMD_ABORT', 'CMD_FINISHED']
-                                q.headers = [_('Profile'), apparmor.aa.combine_name(profile, hat)]
-                                q.headers += [_('Network Family'), audit + family]
-                                q.headers += [_('Socket Type'), sock_type]
+                                    rule_obj.audit = False
+                                    rule_obj.raw_rule = None
+
+                                options[len(options) - 1] = rule_obj.get_clean()
+                                q.options = options
 
                             elif ans == 'CMD_ALLOW':
-                                #print(options, selected)
-                                selection = options[selected]
                                 done = True
-                                if apparmor.aa.re_match_include(selection): #re.search('#include\s+<.+>$', selection):
-                                    inc =  apparmor.aa.re_match_include(selection) #re.search('#include\s+<(.+)>$', selection).groups()[0]
-                                    deleted =  0
-                                    deleted = apparmor.aa.delete_duplicates(self.user.aa[profile][hat], inc)
+                                changed[profile] = True
 
-                                    self.user.aa[profile][hat]['include'][inc] = True
+                                selection = options[selected]
 
-                                    apparmor.aa.changed[profile] = True
+                                inc = re_match_include(selection)
+                                if inc:
+                                    deleted = delete_duplicates(aa[profile][hat], inc)
 
-                                    aaui.UI_Info(_('Adding %s to profile') % selection)
+                                    aa[profile][hat]['include'][inc] = True
+
+                                    aaui.UI_Info(_('Adding %s to profile.') % selection)
                                     if deleted:
                                         aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
 
                                 else:
-                                    self.user.aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] = audit_toggle
-                                    self.user.aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True
+                                    aa[profile][hat][ruletype].add(rule_obj)
 
-                                    apparmor.aa.changed[profile] = True
-
-                                    aaui.UI_Info(_('Adding network access %(family)s %(type)s to profile.') % { 'family': family, 'type': sock_type })
+                                    aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
 
                             elif ans == 'CMD_DENY':
                                 done = True
-                                self.user.aa[profile][hat]['deny']['netdomain']['rule'][family][sock_type] = True
-                                apparmor.aa.changed[profile] = True
-                                aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type })
+                                changed[profile] = True
+
+                                rule_obj.deny = True
+                                rule_obj.raw_rule = None  # reset raw rule after manually modifying rule_obj
+                                aa[profile][hat][ruletype].add(rule_obj)
+                                aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
 
                             else:
                                 done = False
diff --git a/utils/aa-sandbox b/utils/aa-sandbox
index 69714e56b..b10896e72 100755
--- a/utils/aa-sandbox
+++ b/utils/aa-sandbox
@@ -14,6 +14,10 @@ from apparmor.common import error
 import optparse
 import sys
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 if __name__ == "__main__":
     argv = sys.argv
     parser = optparse.OptionParser()
diff --git a/utils/aa-status b/utils/aa-status
index 9a18285d7..472b993af 100755
--- a/utils/aa-status
+++ b/utils/aa-status
@@ -10,7 +10,11 @@
 #
 # ------------------------------------------------------------------
 
-import re, os, sys
+import re, os, sys, errno
+
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
 
 def cmd_enabled():
     '''Returns error code if AppArmor is not enabled'''
@@ -85,14 +89,21 @@ def get_profiles():
         sys.exit(3)
 
     apparmor_profiles = os.path.join(apparmorfs, "profiles")
-    if not os.access(apparmor_profiles, os.R_OK):
-        errormsg("You do not have enough privilege to read the profile set.")
+    try:
+        f = open(apparmor_profiles)
+    except IOError as e:
+        if e.errno == errno.EACCES:
+            errormsg("You do not have enough privilege to read the profile set.")
+        else:
+            errormsg("Could not open %s: %s" % (apparmor_profiles, os.strerror(e.errno)))
         sys.exit(4)
 
-    for p in open(apparmor_profiles).readlines():
+    for p in f.readlines():
         match = re.search("^([^\(]+)\s+\((\w+)\)$", p)
         profiles[match.group(1)] = match.group(2)
 
+    f.close()
+
     return profiles
 
 def get_processes(profiles):
diff --git a/utils/aa-unconfined b/utils/aa-unconfined
index 280b5526b..55c113614 100755
--- a/utils/aa-unconfined
+++ b/utils/aa-unconfined
@@ -21,6 +21,10 @@ import apparmor.aa as aa
 import apparmor.ui as ui
 import apparmor.common
 
+# setup exception handling
+from apparmor.fail import enable_aa_exception_handler
+enable_aa_exception_handler()
+
 # setup module translations
 from apparmor.translations import init_translation
 _ = init_translation()
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 36614ce8b..92a717424 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -41,7 +41,7 @@ from apparmor.aamode import (str_to_mode, mode_to_str, contains, split_mode,
                              flatten_mode, owner_flatten_mode)
 
 from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
-                            RE_PROFILE_CHANGE_PROFILE, RE_PROFILE_ALIAS, RE_PROFILE_RLIMIT,
+                            RE_PROFILE_ALIAS,
                             RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE, RE_PROFILE_CONDITIONAL,
                             RE_PROFILE_CONDITIONAL_VARIABLE, RE_PROFILE_CONDITIONAL_BOOLEAN,
                             RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
@@ -49,12 +49,14 @@ from apparmor.regex import (RE_PROFILE_START, RE_PROFILE_END, RE_PROFILE_LINK,
                             RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS, RE_PROFILE_MOUNT,
                             RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE, RE_PROFILE_PIVOT_ROOT,
                             RE_PROFILE_UNIX, RE_RULE_HAS_COMMA, RE_HAS_COMMENT_SPLIT,
-                            strip_quotes, parse_profile_start_line )
+                            strip_quotes, parse_profile_start_line, re_match_include )
 
 import apparmor.rules as aarules
 
 from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
+from apparmor.rule.change_profile import ChangeProfileRuleset, ChangeProfileRule
 from apparmor.rule.network    import NetworkRuleset,    NetworkRule
+from apparmor.rule.rlimit     import RlimitRuleset,    RlimitRule
 from apparmor.rule import parse_modifiers, quote_if_needed
 
 from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
@@ -102,12 +104,6 @@ ALL = '\0ALL'
 t = hasher()  # dict()
 transitions = hasher()
 
-# keys used in aa[profile][hat]:
-# a) rules (as dict): alias, change_profile, include, lvar, rlimit
-# b) rules (as hasher): allow, deny
-# c) one for each rule class
-# d) other: declared, external, flags, name, profile, attachment, initial_comment,
-#           profile_keyword, header_comment (these two are currently only set by set_profile_flags())
 aa = hasher()  # Profiles originally in sd, replace by aa
 original_aa = hasher()
 extras = hasher()  # Inactive profiles from extras
@@ -283,6 +279,7 @@ def set_complain(filename, program):
     aaui.UI_Info(_('Setting %s to complain mode.') % (filename if program is None else program))
     # a force-complain symlink is more packaging-friendly, but breaks caching
     # create_symlink('force-complain', filename)
+    delete_symlink('disable', filename)
     change_profile_flags(filename, program, 'complain', True)
 
 def set_enforce(filename, program):
@@ -405,8 +402,35 @@ def get_inactive_profile(local_profile):
         return {local_profile: extras[local_profile]}
     return dict()
 
+def profile_storage():
+    # keys used in aa[profile][hat]:
+    # a) rules (as dict): alias, include, lvar
+    # b) rules (as hasher): allow, deny
+    # c) one for each rule class
+    # d) other: external, flags, name, profile, attachment, initial_comment,
+    #           profile_keyword, header_comment (these two are currently only set by set_profile_flags())
+
+    # Note that this function doesn't explicitely init all those keys (yet).
+    # It will be extended over time, with the final goal to get rid of hasher().
+
+    profile = hasher()
+
+    profile['capability']       = CapabilityRuleset()
+    profile['change_profile']   = ChangeProfileRuleset()
+    profile['network']          = NetworkRuleset()
+    profile['rlimit']           = RlimitRuleset()
+
+    profile['allow']['path'] = hasher()
+    profile['allow']['dbus'] = list()
+    profile['allow']['mount'] = list()
+    profile['allow']['signal'] = list()
+    profile['allow']['ptrace'] = list()
+    profile['allow']['pivot_root'] = list()
+
+    return profile
+
 def create_new_profile(localfile, is_stub=False):
-    local_profile = hasher()
+    local_profile = profile_storage()
     local_profile[localfile]['flags'] = 'complain'
     local_profile[localfile]['include']['abstractions/base'] = 1
 
@@ -652,8 +676,9 @@ def set_profile_flags(prof_filename, program, newflags):
     """Reads the old profile file and updates the flags accordingly"""
     # TODO: count the number of matching lines (separated by profile and hat?) and return it
     #       so that code calling this function can make sure to only report success if there was a match
-    # TODO: use RE_PROFILE_HAT_DEF for matching the hat (regex_hat_flag is totally broken!)
-    #regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$')
+    # TODO: existing (unrelated) flags of hats and child profiles are overwritten - ideally, we should
+    #       keep them and only add or remove a given flag
+    # TODO: change child profile flags even if program is specified
 
     found = False
 
@@ -680,14 +705,19 @@ def set_profile_flags(prof_filename, program, newflags):
                         }
                         line = write_header(header_data, len(space)/2, profile, False, True)
                         line = '%s\n' % line[0]
-                #else:
-                #    match = regex_hat_flag.search(line)
-                #    if match:
-                #        hat, flags = match.groups()[:2]
-                #        if newflags:
-                #            line = '%s flags=(%s) {%s\n' % (hat, newflags, comment)
-                #        else:
-                #            line = '%s {%s\n' % (hat, comment)
+                elif RE_PROFILE_HAT_DEF.search(line):
+                    matches = RE_PROFILE_HAT_DEF.search(line)
+                    space = matches.group('leadingspace') or ''
+                    hat_keyword = matches.group('hat_keyword')
+                    hat = matches.group('hat')
+                    comment = matches.group('comment') or ''
+                    if comment:
+                        comment = ' %s' % comment
+
+                    if newflags:
+                        line = '%s%s%s flags=(%s) {%s\n' % (space, hat_keyword, hat, newflags, comment)
+                    else:
+                        line = '%s%s%s {%s\n' % (space, hat_keyword, hat, comment)
                 f_out.write(line)
     os.rename(temp_file.name, prof_filename)
 
@@ -1433,7 +1463,7 @@ def handle_children(profile, hat, root):
                                 ynans = aaui.UI_YesNo(_('A profile for %s does not exist.\nDo you want to create one?') % exec_target, 'n')
                             if ynans == 'y':
                                 hat = exec_target
-                                aa[profile][hat]['declared'] = False
+                                # XXX do we need to init the profile here?
                                 aa[profile][hat]['profile'] = True
 
                                 if profile != hat:
@@ -1473,10 +1503,6 @@ def handle_children(profile, hat, root):
 
     return None
 
-PROFILE_MODE_RE = re.compile('r|w|l|m|k|a|ix|ux|px|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix')
-PROFILE_MODE_NT_RE = re.compile('r|w|l|m|k|a|x|ix|ux|px|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix')
-PROFILE_MODE_DENY_RE = re.compile('r|w|l|m|k|a|x')
-
 ##### Repo related functions
 
 def UI_SelectUpdatedRepoProfile(profile, p):
@@ -1534,6 +1560,7 @@ def order_globs(globs, path):
 def ask_the_questions():
     found = 0
     global seen_events
+    log_obj = hasher()
     for aamode in sorted(log_dict.keys()):
         # Describe the type of changes
         if aamode == 'PERMITTING':
@@ -1557,106 +1584,111 @@ def ask_the_questions():
                 hats = [profile] + hats
 
             for hat in hats:
+                log_obj[profile][hat] = profile_storage()
+
                 for capability in sorted(log_dict[aamode][profile][hat]['capability'].keys()):
-                    # skip if capability already in profile
-                    capability_obj = CapabilityRule(capability)
-                    if is_known_rule(aa[profile][hat], 'capability', capability_obj):
-                        continue
-                    # Load variables? Don't think so.
-                    severity = sev_db.rank('CAP_%s' % capability)
-                    default_option = 1
-                    options = []
-                    newincludes = match_includes(aa[profile][hat], 'capability', capability_obj)
-                    q = aaui.PromptQuestion()
+                    capability_obj = CapabilityRule(capability, log_event=aamode)
+                    log_obj[profile][hat]['capability'].add(capability_obj)
 
-                    if newincludes:
-                        options += list(map(lambda inc: '#include <%s>' % inc, sorted(set(newincludes))))
+                for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):
+                    for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):
+                        network_obj = NetworkRule(family, sock_type, log_event=aamode)
+                        log_obj[profile][hat]['network'].add(network_obj)
 
-                    if options:
-                        options.append('capability %s' % capability)
+                for ruletype in ['capability', 'network']:
+                    # XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync!
+                    for rule_obj in log_obj[profile][hat][ruletype].rules:
+
+                        if rule_obj.log_event != aamode:  # XXX does it really make sense to handle enforce and complain mode changes in different rounds?
+                            continue
+
+                        if is_known_rule(aa[profile][hat], ruletype, rule_obj):
+                            continue
+
+                        default_option = 1
+                        options = []
+                        newincludes = match_includes(aa[profile][hat], ruletype, rule_obj)
+                        q = aaui.PromptQuestion()
+                        if newincludes:
+                            options += list(map(lambda inc: '#include <%s>' % inc, sorted(set(newincludes))))
+
+                        options.append(rule_obj.get_clean())
                         q.options = options
                         q.selected = default_option - 1
 
-                    q.headers = [_('Profile'), combine_name(profile, hat)]
-                    q.headers += [_('Capability'), capability]
-                    q.headers += [_('Severity'), severity]
+                        seen_events += 1
 
-                    audit_toggle = 0
-                    audit = ''
+                        done = False
+                        while not done:
+                            q.headers = [_('Profile'), combine_name(profile, hat)]
+                            q.headers += rule_obj.logprof_header()
 
-                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
-                                      'CMD_ABORT', 'CMD_FINISHED']
+                            # Load variables into sev_db? Not needed/used for capabilities and network rules.
+                            severity = rule_obj.severity(sev_db)
+                            if severity != sev_db.NOT_IMPLEMENTED:
+                                q.headers += [_('Severity'), severity]
 
-                    # In complain mode: events default to allow
-                    # In enforce mode: events default to deny
-                    q.default = 'CMD_DENY'
-                    if aamode == 'PERMITTING':
-                        q.default = 'CMD_ALLOW'
+                            q.functions = available_buttons(rule_obj)
 
-                    seen_events += 1
+                            # In complain mode: events default to allow
+                            # In enforce mode: events default to deny
+                            # XXX does this behaviour really make sense, except for "historical reasons"[tm]?
+                            q.default = 'CMD_DENY'
+                            if rule_obj.log_event == 'PERMITTING':
+                                q.default = 'CMD_ALLOW'
 
-                    done = False
-                    while not done:
-                        ans, selected = q.promptUser()
+                            ans, selected = q.promptUser()
+                            if ans == 'CMD_IGNORE_ENTRY':
+                                done = True
+                                break
 
-                        if ans == 'CMD_FINISHED':
-                            save_profiles()
-                            return
+                            elif ans == 'CMD_FINISHED':
+                                return
 
-                        # Ignore the log entry
-                        if ans == 'CMD_IGNORE_ENTRY':
-                            done = True
-                            break
+                            elif ans.startswith('CMD_AUDIT'):
+                                if ans == 'CMD_AUDIT_NEW':
+                                    rule_obj.audit = True
+                                    rule_obj.raw_rule = None
+                                else:
+                                    rule_obj.audit = False
+                                    rule_obj.raw_rule = None
 
-                        if ans.startswith('CMD_AUDIT'):
-                            audit_toggle = not audit_toggle
-                            if audit_toggle:
-                                audit = 'audit '
-                                audit_cmd = 'CMD_AUDIT_OFF'
-                            else:
-                                audit = ''
-                                audit_cmd = 'CMD_AUDIT_NEW'
+                                options[len(options) - 1] = rule_obj.get_clean()
+                                q.options = options
 
-                            q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', audit_cmd,
-                                              'CMD_ABORT', 'CMD_FINISHED', ]
+                            elif ans == 'CMD_ALLOW':
+                                done = True
+                                changed[profile] = True
 
-                            q.headers = [_('Profile'), combine_name(profile, hat),
-                                            _('Capability'), audit + capability,
-                                            _('Severity'), severity]
-
-                        if ans == 'CMD_ALLOW':
-                            selection = ''
-                            if options:
                                 selection = options[selected]
-                            match = re_match_include(selection)
-                            if match:
-                                deleted = False
-                                inc = match  # .groups()[0]
-                                deleted = delete_duplicates(aa[profile][hat], inc)
-                                aa[profile][hat]['include'][inc] = True
 
-                                aaui.UI_Info(_('Adding %s to profile.') % selection)
-                                if deleted:
-                                    aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
+                                inc = re_match_include(selection)
+                                if inc:
+                                    deleted = delete_duplicates(aa[profile][hat], inc)
+
+                                    aa[profile][hat]['include'][inc] = True
+
+                                    aaui.UI_Info(_('Adding %s to profile.') % selection)
+                                    if deleted:
+                                        aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
+
+                                else:
+                                    aa[profile][hat][ruletype].add(rule_obj)
+
+                                    aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
+
+                            elif ans == 'CMD_DENY':
+                                done = True
+                                changed[profile] = True
+
+                                rule_obj.deny = True
+                                rule_obj.raw_rule = None  # reset raw rule after manually modifying rule_obj
+                                aa[profile][hat][ruletype].add(rule_obj)
+                                aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean())
 
                             else:
-                                capability_obj = CapabilityRule(capability, audit=audit)
-                                aa[profile][hat]['capability'].add(capability_obj)
-                                aaui.UI_Info(_('Adding capability %s to profile.') % capability)
-
-                            changed[profile] = True
-
-                            done = True
-
-                        elif ans == 'CMD_DENY':
-                            capability_obj = CapabilityRule(capability, audit=audit, deny=True)
-                            aa[profile][hat]['capability'].add(capability_obj)
-                            changed[profile] = True
-
-                            aaui.UI_Info(_('Denying capability %s to profile.') % capability)
-                            done = True
-                        else:
-                            done = False
+                                done = False
+                    # END of code (mostly) shared with aa-mergeprof
 
                 # Process all the path entries.
                 for path in sorted(log_dict[aamode][profile][hat]['path'].keys()):
@@ -1953,98 +1985,22 @@ def ask_the_questions():
                             elif re.search('\d', ans):
                                 default_option = ans
 
-                #
-                for family in sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):
-                    # severity handling for net toggles goes here
-                    for sock_type in sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):
-                        network_obj = NetworkRule(family, sock_type)
-                        if is_known_rule(aa[profile][hat], 'network', network_obj):
-                            continue
-                        default_option = 1
-                        options = []
-                        newincludes = match_includes(aa[profile][hat], 'network', network_obj)
-                        q = aaui.PromptQuestion()
-                        if newincludes:
-                            options += list(map(lambda s: '#include <%s>' % s, sorted(set(newincludes))))
-                        if options:
-                            options.append('network %s %s' % (family, sock_type))
-                            q.options = options
-                            q.selected = default_option - 1
+def available_buttons(rule_obj):
+    buttons = []
 
-                        q.headers = [_('Profile'), combine_name(profile, hat)]
-                        q.headers += [_('Network Family'), family]
-                        q.headers += [_('Socket Type'), sock_type]
+    if not rule_obj.deny:
+        buttons += ['CMD_ALLOW']
 
-                        audit_toggle = 0
-                        q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_AUDIT_NEW',
-                                          'CMD_ABORT', 'CMD_FINISHED']
-                        q.default = 'CMD_DENY'
+    buttons += ['CMD_DENY', 'CMD_IGNORE_ENTRY']
 
-                        if aamode == 'PERMITTING':
-                            q.default = 'CMD_ALLOW'
+    if rule_obj.audit:
+        buttons += ['CMD_AUDIT_OFF']
+    else:
+        buttons += ['CMD_AUDIT_NEW']
 
-                        seen_events += 1
+    buttons += ['CMD_ABORT', 'CMD_FINISHED']
 
-                        done = False
-                        while not done:
-                            ans, selected = q.promptUser()
-
-                            if ans == 'CMD_FINISHED':
-                                save_profiles()
-                                return
-
-                            if ans == 'CMD_IGNORE_ENTRY':
-                                done = True
-                                break
-
-                            if ans.startswith('CMD_AUDIT'):
-                                audit_toggle = not audit_toggle
-                                audit = ''
-                                if audit_toggle:
-                                    audit = 'audit'
-                                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_OFF',
-                                                      'CMD_ABORT', 'CMD_FINISHED']
-                                else:
-                                    q.functions = ['CMD_ALLOW', 'CMD_DENY', 'CMD_AUDIT_NEW',
-                                                      'CMD_ABORT', 'CMD_FINISHED']
-                                q.headers = [_('Profile'), combine_name(profile, hat)]
-                                q.headers += [_('Network Family'), audit + family]
-                                q.headers += [_('Socket Type'), sock_type]
-
-                            elif ans == 'CMD_ALLOW':
-                                if options:
-                                    selection = options[selected]
-                                else:
-                                    selection = 'network %s %s' % (family, sock_type)
-                                done = True
-                                if re_match_include(selection):  # re.search('#include\s+<.+>$', selection):
-                                    inc = re_match_include(selection)  # re.search('#include\s+<(.+)>$', selection).groups()[0]
-                                    deleted = 0
-                                    deleted = delete_duplicates(aa[profile][hat], inc)
-
-                                    aa[profile][hat]['include'][inc] = True
-
-                                    changed[profile] = True
-
-                                    aaui.UI_Info(_('Adding %s to profile') % selection)
-                                    if deleted:
-                                        aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted)
-
-                                else:
-                                    aa[profile][hat]['network'].add(NetworkRule(family, sock_type, audit=audit_toggle))
-
-                                    changed[profile] = True
-
-                                    aaui.UI_Info(_('Adding network access %(family)s %(type)s to profile.') % { 'family': family, 'type': sock_type })
-
-                            elif ans == 'CMD_DENY':
-                                done = True
-                                aa[profile][hat]['network'].add(NetworkRule(family, sock_type, audit=audit_toggle, deny=True))
-                                changed[profile] = True
-                                aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type })
-
-                            else:
-                                done = False
+    return buttons
 
 def add_to_options(options, newpath):
     if newpath not in options:
@@ -2123,33 +2079,24 @@ def delete_duplicates(profile, incname):
     # Allow rules covered by denied rules shouldn't be deleted
     # only a subset allow rules may actually be denied
 
+    ruletypes = ['capability', 'change_profile', 'network', 'rlimit']
+
     if include.get(incname, False):
-        deleted += profile['network'].delete_duplicates(include[incname][incname]['network'])
-        deleted += profile['capability'].delete_duplicates(include[incname][incname]['capability'])
+        for rule_type in ruletypes:
+            deleted += profile[rule_type].delete_duplicates(include[incname][incname][rule_type])
 
         deleted += delete_path_duplicates(profile, incname, 'allow')
         deleted += delete_path_duplicates(profile, incname, 'deny')
 
     elif filelist.get(incname, False):
-        deleted += profile['network'].delete_duplicates(filelist[incname][incname]['network'])
-        deleted += profile['capability'].delete_duplicates(filelist[incname][incname]['capability'])
+        for rule_type in ruletypes:
+            deleted += profile[rule_type].delete_duplicates(filelist[incname][incname][rule_type])
 
         deleted += delete_path_duplicates(profile, incname, 'allow')
         deleted += delete_path_duplicates(profile, incname, 'deny')
 
     return deleted
 
-def match_net_include(incname, family, type):
-    # still used by aa-mergeprof
-    network_obj = NetworkRule(family, type)
-    return match_includes(incname, 'network', network_obj)
-
-
-def match_cap_includes(profile, capability):
-    # still used by aa-mergeprof
-    capability_obj = CapabilityRule(capability)
-    return match_includes(profile, 'capability', capability_obj)
-
 def match_includes(profile, rule_type, rule_obj):
     newincludes = []
     for incname in include.keys():
@@ -2159,15 +2106,6 @@ def match_includes(profile, rule_type, rule_obj):
 
     return newincludes
 
-def re_match_include(path):
-    """Matches the path for include and returns the include path"""
-    regex_include = re.compile('^\s*#?include\s*<(.*)>\s*(#.*)?$')
-    match = regex_include.search(path)
-    if match:
-        return match.groups()[0]
-    else:
-        return None
-
 def valid_include(profile, incname):
     if profile and profile['include'].get(incname, False):
         return False
@@ -2182,15 +2120,6 @@ def valid_include(profile, incname):
 
     return False
 
-def match_net_includes(profile, family, nettype):
-    newincludes = []
-    for incname in include.keys():
-
-        if valid_include(profile, incname) and match_net_include(incname, family, nettype):
-            newincludes.append(incname)
-
-    return newincludes
-
 def set_logfile(filename):
     ''' set logfile to a) the specified filename or b) if not given, the first existing logfile from logprof.conf'''
 
@@ -2493,25 +2422,18 @@ def collapse_log():
                         if not is_known_rule(aa[profile][hat], 'network', NetworkRule(family, sock_type)):
                             log_dict[aamode][profile][hat]['netdomain'][family][sock_type] = True
 
+PROFILE_MODE_RE      = re.compile('^(r|w|l|m|k|a|ix|ux|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix)+$')
+PROFILE_MODE_DENY_RE = re.compile('^(r|w|l|m|k|a|x)+$')
 
 def validate_profile_mode(mode, allow, nt_name=None):
     if allow == 'deny':
-        pattern = '^(%s)+$' % PROFILE_MODE_DENY_RE.pattern
-        if re.search(pattern, mode):
-            return True
-        else:
-            return False
-
-    elif nt_name:
-        pattern = '^(%s)+$' % PROFILE_MODE_NT_RE.pattern
-        if re.search(pattern, mode):
+        if PROFILE_MODE_DENY_RE.search(mode):
             return True
         else:
             return False
 
     else:
-        pattern = '^(%s)+$' % PROFILE_MODE_RE.pattern
-        if re.search(pattern, mode):
+        if PROFILE_MODE_RE.search(mode):
             return True
         else:
             return False
@@ -2638,6 +2560,8 @@ def parse_profile_data(data, file, do_include):
     if do_include:
         profile = file
         hat = file
+        profile_data[profile][hat] = profile_storage()
+
     for lineno, line in enumerate(data):
         line = line.strip()
         if not line:
@@ -2649,6 +2573,13 @@ def parse_profile_data(data, file, do_include):
         # Starting line of a profile
         if RE_PROFILE_START.search(line):
             (profile, hat, attachment, flags, in_contained_hat, pps_set_profile, pps_set_hat_external) = parse_profile_start(line, file, lineno, profile, hat)
+
+            if profile_data[profile].get(hat, False):
+                raise AppArmorException('Profile %(profile)s defined twice in %(file)s, last found in line %(line)s' %
+                    { 'file': file, 'line': lineno + 1, 'profile': combine_name(profile, hat) })
+
+            profile_data[profile][hat] = profile_storage()
+
             if attachment:
                 profile_data[profile][hat]['attachment'] = attachment
             if pps_set_profile:
@@ -2666,13 +2597,6 @@ def parse_profile_data(data, file, do_include):
 
             profile_data[profile][hat]['flags'] = flags
 
-            profile_data[profile][hat]['network'] = NetworkRuleset()
-            profile_data[profile][hat]['allow']['path'] = hasher()
-            profile_data[profile][hat]['allow']['dbus'] = list()
-            profile_data[profile][hat]['allow']['mount'] = list()
-            profile_data[profile][hat]['allow']['signal'] = list()
-            profile_data[profile][hat]['allow']['ptrace'] = list()
-            profile_data[profile][hat]['allow']['pivot_root'] = list()
             # Save the initial comment
             if initial_comment:
                 profile_data[profile][hat]['initial_comment'] = initial_comment
@@ -2683,10 +2607,6 @@ def parse_profile_data(data, file, do_include):
                 profile_data[profile][profile]['repo']['url'] = repo_data['url']
                 profile_data[profile][profile]['repo']['user'] = repo_data['user']
 
-            # init rule classes (if not done yet)
-            if not profile_data[profile][hat].get('capability', False):
-                profile_data[profile][hat]['capability'] = CapabilityRuleset()
-
         elif RE_PROFILE_END.search(line):
             # If profile ends and we're not in one
             if not profile:
@@ -2705,10 +2625,6 @@ def parse_profile_data(data, file, do_include):
             if not profile:
                 raise AppArmorException(_('Syntax Error: Unexpected capability entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
 
-            # init rule class (if not done yet)
-            if not profile_data[profile][hat].get('capability', False):
-                profile_data[profile][hat]['capability'] = CapabilityRuleset()
-
             profile_data[profile][hat]['capability'].add(CapabilityRule.parse(line))
 
         elif RE_PROFILE_LINK.search(line):
@@ -2739,14 +2655,11 @@ def parse_profile_data(data, file, do_include):
             else:
                 profile_data[profile][hat][allow]['link'][link]['audit'] = set()
 
-        elif RE_PROFILE_CHANGE_PROFILE.search(line):
-            matches = RE_PROFILE_CHANGE_PROFILE.search(line).groups()
-
+        elif ChangeProfileRule.match(line):
             if not profile:
                 raise AppArmorException(_('Syntax Error: Unexpected change profile entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
 
-            cp = strip_quotes(matches[0])
-            profile_data[profile][hat]['change_profile'][cp] = True
+            profile_data[profile][hat]['change_profile'].add(ChangeProfileRule.parse(line))
 
         elif RE_PROFILE_ALIAS.search(line):
             matches = RE_PROFILE_ALIAS.search(line).groups()
@@ -2761,22 +2674,18 @@ def parse_profile_data(data, file, do_include):
                     filelist[file] = hasher()
                 filelist[file]['alias'][from_name] = to_name
 
-        elif RE_PROFILE_RLIMIT.search(line):
-            matches = RE_PROFILE_RLIMIT.search(line).groups()
-
+        elif RlimitRule.match(line):
             if not profile:
                 raise AppArmorException(_('Syntax Error: Unexpected rlimit entry found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
 
-            from_name = matches[0]
-            to_name = matches[2]
-
-            profile_data[profile][hat]['rlimit'][from_name] = to_name
+            profile_data[profile][hat]['rlimit'].add(RlimitRule.parse(line))
 
         elif RE_PROFILE_BOOLEAN.search(line):
-            matches = RE_PROFILE_BOOLEAN.search(line)
+            matches = RE_PROFILE_BOOLEAN.search(line).groups()
 
-            if not profile:
-                raise AppArmorException(_('Syntax Error: Unexpected boolean definition found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
+            if profile and not do_include:
+                raise AppArmorException(_('Syntax Error: Unexpected boolean definition found inside profile in file: %(file)s line: %(line)s') % {
+                        'file': file, 'line': lineno + 1 })
 
             bool_var = matches[0]
             value = matches[1]
@@ -2902,15 +2811,9 @@ def parse_profile_data(data, file, do_include):
                 filelist[file]['include'][include_name] = True
             # If include is a directory
             if os.path.isdir(profile_dir + '/' + include_name):
-                for path in os.listdir(profile_dir + '/' + include_name):
-                    path = path.strip()
-                    if is_skippable_file(path):
-                        continue
-                    if os.path.isfile(profile_dir + '/' + include_name + '/' + path):
-                        file_name = include_name + '/' + path
-                        file_name = file_name.replace(profile_dir + '/', '')
-                        if not include.get(file_name, False):
-                            load_include(file_name)
+                for file_name in include_dir_filelist(profile_dir, include_name):
+                    if not include.get(file_name, False):
+                        load_include(file_name)
             else:
                 if not include.get(include_name, False):
                     load_include(include_name)
@@ -3064,11 +2967,8 @@ def parse_profile_data(data, file, do_include):
             if not profile:
                 raise AppArmorException(_('Syntax Error: Unexpected change hat declaration found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 })
 
-            hat = matches[0]
-            hat = strip_quotes(hat)
-
-            if not profile_data[profile][hat].get('declared', False):
-                profile_data[profile][hat]['declared'] = True
+            aaui.UI_Important(_('Ignoring no longer supported change hat declaration "^%(hat)s," found in file: %(file)s line: %(line)s') % {
+                    'hat': matches[0], 'file': file, 'line': lineno + 1 })
 
         elif RE_PROFILE_HAT_DEF.search(line):
             # An embedded hat syntax definition starts
@@ -3079,12 +2979,15 @@ def parse_profile_data(data, file, do_include):
             in_contained_hat = True
             hat = matches.group('hat')
             hat = strip_quotes(hat)
+
+            # if hat is already known, the filelist check some lines below will error out.
+            # nevertheless, just to be sure, don't overwrite existing profile_data.
+            if not profile_data[profile].get(hat, False):
+                profile_data[profile][hat] = profile_storage()
+
             flags = matches.group('flags')
 
             profile_data[profile][hat]['flags'] = flags
-            profile_data[profile][hat]['declared'] = False
-            #profile_data[profile][hat]['allow']['path'] = hasher()
-            #profile_data[profile][hat]['allow']['netdomain'] = hasher()
 
             if initial_comment:
                 profile_data[profile][hat]['initial_comment'] = initial_comment
@@ -3129,7 +3032,7 @@ def parse_profile_data(data, file, do_include):
                 if re.search(hatglob, parsed_prof):
                     for hat in cfg['required_hats'][hatglob].split():
                         if not profile_data[parsed_prof].get(hat, False):
-                            profile_data[parsed_prof][hat] = hasher()
+                            profile_data[parsed_prof][hat] = profile_storage()
 
     # End of file reached but we're stuck in a profile
     if profile and not do_include:
@@ -3291,13 +3194,19 @@ def write_includes(prof_data, depth):
     return write_single(prof_data, depth, '', 'include', '#include <', '>')
 
 def write_change_profile(prof_data, depth):
-    return write_single(prof_data, depth, '', 'change_profile', 'change_profile -> ', ',')
+    data = []
+    if prof_data.get('change_profile', False):
+        data = prof_data['change_profile'].get_clean(depth)
+    return data
 
 def write_alias(prof_data, depth):
     return write_pair(prof_data, depth, '', 'alias', 'alias ', ' -> ', ',', quote_if_needed)
 
 def write_rlimits(prof_data, depth):
-    return write_pair(prof_data, depth, '', 'rlimit', 'set rlimit ', ' <= ', ',', quote_if_needed)
+    data = []
+    if prof_data.get('rlimit', False):
+        data = prof_data['rlimit'].get_clean(depth)
+    return data
 
 def var_transform(ref):
     data = []
@@ -3542,15 +3451,11 @@ def write_piece(profile_data, depth, name, nhat, write_flags):
     data += write_rules(profile_data[name], depth + 1)
 
     pre2 = '  ' * (depth + 1)
-    # External hat declarations
-    for hat in list(filter(lambda x: x != name, sorted(profile_data.keys()))):
-        if profile_data[hat].get('declared', False):
-            data.append('%s^%s,' % (pre2, hat))
 
     if not inhat:
         # Embedded hats
         for hat in list(filter(lambda x: x != name, sorted(profile_data.keys()))):
-            if not profile_data[hat]['external'] and not profile_data[hat]['declared']:
+            if not profile_data[hat]['external']:
                 data.append('')
                 if profile_data[hat]['profile']:
                     data += list(map(str, write_header(profile_data[hat], depth + 1, hat, True, write_flags)))
@@ -3799,7 +3704,7 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                     depth = int((len(line) - len(line.lstrip())) / 2)
                     pre2 = '  ' * (depth + 1)
                     for hat in list(filter(lambda x: x != name, sorted(profile_data.keys()))):
-                        if not profile_data[hat]['external'] and not profile_data[hat]['declared']:
+                        if not profile_data[hat]['external']:
                             data.append('')
                             if profile_data[hat]['profile']:
                                 data += list(map(str, write_header(profile_data[hat], depth + 1, hat, True, include_flags)))
@@ -3866,22 +3771,14 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                     # To-Do
                     pass
 
-            elif RE_PROFILE_CHANGE_PROFILE.search(line):
-                matches = RE_PROFILE_CHANGE_PROFILE.search(line).groups()
-                cp = strip_quotes(matches[0])
-
-                if not write_prof_data[hat]['change_profile'][cp] is True:
-                    correct = False
-
-                if correct:
+            elif ChangeProfileRule.match(line):
+                change_profile_obj = ChangeProfileRule.parse(line)
+                if write_prof_data[hat]['change_profile'].is_covered(change_profile_obj, True, True):
                     if not segments['change_profile'] and True in segments.values():
                         data += write_prior_segments(write_prof_data[name], segments, line)
                     segments['change_profile'] = True
-                    write_prof_data[hat]['change_profile'].pop(cp)
+                    write_prof_data[hat]['change_profile'].delete(change_profile_obj)
                     data.append(line)
-                else:
-                    #To-Do
-                    pass
 
             elif RE_PROFILE_ALIAS.search(line):
                 matches = RE_PROFILE_ALIAS.search(line).groups()
@@ -3909,20 +3806,14 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                     #To-Do
                     pass
 
-            elif RE_PROFILE_RLIMIT.search(line):
-                matches = RE_PROFILE_RLIMIT.search(line).groups()
+            elif RlimitRule.match(line):
+                rlimit_obj = RlimitRule.parse(line)
 
-                from_name = matches[0]
-                to_name = matches[2]
-
-                if not write_prof_data[hat]['rlimit'][from_name] == to_name:
-                    correct = False
-
-                if correct:
+                if write_prof_data[hat]['rlimit'].is_covered(rlimit_obj, True, True):
                     if not segments['rlimit'] and True in segments.values():
                         data += write_prior_segments(write_prof_data[name], segments, line)
                     segments['rlimit'] = True
-                    write_prof_data[hat]['rlimit'].pop(from_name)
+                    write_prof_data[hat]['rlimit'].delete(rlimit_obj)
                     data.append(line)
                 else:
                     #To-Do
@@ -4073,16 +3964,9 @@ def serialize_profile_from_old_profile(profile_data, name, options):
                     data.append(line)
 
             elif RE_PROFILE_CHANGE_HAT.search(line):
-                matches = RE_PROFILE_CHANGE_HAT.search(line).groups()
-                hat = matches[0]
-                hat = strip_quotes(hat)
-                if not write_prof_data[hat]['declared']:
-                    correct = False
-                if correct:
-                    data.append(line)
-                else:
-                    #To-Do
-                    pass
+                # "^hat," declarations are no longer supported, ignore them and don't write out the line
+                # (parse_profile_data() already prints a warning about that)
+                pass
             elif RE_PROFILE_HAT_DEF.search(line):
                 matches = RE_PROFILE_HAT_DEF.search(line)
                 in_contained_hat = True
@@ -4092,8 +3976,6 @@ def serialize_profile_from_old_profile(profile_data, name, options):
 
                 if not write_prof_data[hat]['flags'] == flags:
                     correct = False
-                if not write_prof_data[hat]['declared'] is False:
-                    correct = False
                 if not write_filelist['profile'][profile][hat]:
                     correct = False
                 if correct:
@@ -4202,6 +4084,7 @@ def reload_base(bin_path):
 
     prof_filename = get_profile_filename(bin_path)
 
+    # XXX use reload_profile() from tools.py instead (and don't hide output in /dev/null)
     subprocess.call("cat '%s' | %s -I%s -r >/dev/null 2>&1" % (prof_filename, parser, profile_dir), shell=True)
 
 def reload(bin_path):
@@ -4221,6 +4104,20 @@ def get_include_data(filename):
         raise AppArmorException(_('File Not Found: %s') % filename)
     return data
 
+def include_dir_filelist(profile_dir, include_name):
+    '''returns a list of files in the given profile_dir/include_name directory, except skippable files'''
+    files = []
+    for path in os.listdir(profile_dir + '/' + include_name):
+        path = path.strip()
+        if is_skippable_file(path):
+            continue
+        if os.path.isfile(profile_dir + '/' + include_name + '/' + path):
+            file_name = include_name + '/' + path
+            file_name = file_name.replace(profile_dir + '/', '')
+            files.append(file_name)
+
+    return files
+
 def load_include(incname):
     load_includeslist = [incname]
     if include.get(incname, {}).get(incname, False):
diff --git a/utils/apparmor/cleanprofile.py b/utils/apparmor/cleanprofile.py
index 66ccd845e..71abc7b6a 100644
--- a/utils/apparmor/cleanprofile.py
+++ b/utils/apparmor/cleanprofile.py
@@ -11,15 +11,14 @@
 #    GNU General Public License for more details.
 #
 # ----------------------------------------------------------------------
-import re
-
-import apparmor
+import apparmor.aa as apparmor
+from apparmor.regex import re_match_include
 
 class Prof(object):
     def __init__(self, filename):
-        self.aa = apparmor.aa.aa
-        self.filelist = apparmor.aa.filelist
-        self.include = apparmor.aa.include
+        self.aa = apparmor.aa
+        self.filelist = apparmor.filelist
+        self.include = apparmor.include
         self.filename = filename
 
 class CleanProf(object):
@@ -48,7 +47,7 @@ class CleanProf(object):
         #Process every hat in the profile individually
         file_includes = list(self.profile.filelist[self.profile.filename]['include'].keys())
         deleted = 0
-        for hat in self.profile.aa[program].keys():
+        for hat in sorted(self.profile.aa[program].keys()):
             #The combined list of includes from profile and the file
             includes = list(self.profile.aa[program][hat]['include'].keys()) + file_includes
 
@@ -61,8 +60,8 @@ class CleanProf(object):
             #Clean up superfluous rules from includes in the other profile
             for inc in includes:
                 if not self.profile.include.get(inc, {}).get(inc, False):
-                    apparmor.aa.load_include(inc)
-                deleted += apparmor.aa.delete_duplicates(self.other.aa[program][hat], inc)
+                    apparmor.load_include(inc)
+                deleted += apparmor.delete_duplicates(self.other.aa[program][hat], inc)
 
             #Clean duplicate rules in other profile
             if not self.same_file:
@@ -76,7 +75,7 @@ class CleanProf(object):
             deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'allow', self.same_file)
             deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'deny', self.same_file)
 
-            return deleted
+        return deleted
 
 def delete_path_duplicates(profile, profile_other, allow, same_profile=True):
     deleted = []
@@ -88,19 +87,19 @@ def delete_path_duplicates(profile, profile_other, allow, same_profile=True):
                 cm = profile[allow]['path'][rule]['mode']
                 am = profile[allow]['path'][rule]['audit']
                 # If modes of rule are a superset of rules implied by entry we can safely remove it
-                if apparmor.aa.mode_contains(cm, profile_other[allow]['path'][entry]['mode']) and apparmor.aa.mode_contains(am, profile_other[allow]['path'][entry]['audit']):
+                if apparmor.mode_contains(cm, profile_other[allow]['path'][entry]['mode']) and apparmor.mode_contains(am, profile_other[allow]['path'][entry]['audit']):
                     if not same_profile:
                         deleted.append(entry)
                 continue
-            if re.search('#?\s*include', rule) or re.search('#?\s*include', entry):
+            if re_match_include(rule) or re_match_include(entry):
                 continue
             # Check if the rule implies entry
-            if apparmor.aa.matchliteral(rule, entry):
+            if apparmor.matchliteral(rule, entry):
                 # Check the modes
                 cm = profile[allow]['path'][rule]['mode']
                 am = profile[allow]['path'][rule]['audit']
                 # If modes of rule are a superset of rules implied by entry we can safely remove it
-                if apparmor.aa.mode_contains(cm, profile_other[allow]['path'][entry]['mode']) and apparmor.aa.mode_contains(am, profile_other[allow]['path'][entry]['audit']):
+                if apparmor.mode_contains(cm, profile_other[allow]['path'][entry]['mode']) and apparmor.mode_contains(am, profile_other[allow]['path'][entry]['audit']):
                     deleted.append(entry)
 
     for entry in deleted:
diff --git a/utils/apparmor/fail.py b/utils/apparmor/fail.py
new file mode 100644
index 000000000..19e4491d6
--- /dev/null
+++ b/utils/apparmor/fail.py
@@ -0,0 +1,53 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+import cgitb
+import os
+import sys
+import tempfile
+import traceback
+
+#
+# Exception handling
+#
+def handle_exception(*exc_info):
+    '''Used as exception handler in the aa-* tools.
+       For AppArmorException (used for profile syntax errors etc.), print only the exceptions
+       value because a backtrace is superfluous and would confuse users.
+       For other exceptions, print backtrace and save detailed information in a file in /tmp/
+       (including variable content etc.) to make debugging easier.
+    '''
+    (ex_cls, ex, tb) = exc_info
+
+    if ex_cls.__name__  == 'AppArmorException':  # I didn't find a way to get this working with isinstance() :-/
+        print('')
+        print(ex.value)
+    else:
+        (fd, path) = tempfile.mkstemp(prefix='apparmor-bugreport-', suffix='.txt')
+        file = os.fdopen(fd, 'w')
+        #file = open_file_write(path)  # writes everything converted to utf8 - not sure if we want this...
+
+        cgitb_hook = cgitb.Hook(display=1, file=file, format='text', context=10)
+        cgitb_hook.handle(exc_info)
+
+        file.write('Please consider reporting a bug at https://bugs.launchpad.net/apparmor/\n')
+        file.write('and attach this file.\n')
+
+        print(''.join(traceback.format_exception(*exc_info)))
+        print('')
+        print('An unexpected error occoured!')
+        print('')
+        print('For details, see %s' % path)
+        print('Please consider reporting a bug at https://bugs.launchpad.net/apparmor/')
+        print('and attach this file.')
+
+def enable_aa_exception_handler():
+    '''Setup handle_exception() as exception handler'''
+    sys.excepthook = handle_exception
diff --git a/utils/apparmor/regex.py b/utils/apparmor/regex.py
index d164b3664..f038a5a0e 100644
--- a/utils/apparmor/regex.py
+++ b/utils/apparmor/regex.py
@@ -32,9 +32,8 @@ RE_PROFILE_PATH         = '(?P<%s>(/\S+|"/[^"]+"))'  # filename (starting with '
 RE_PROFILE_END          = re.compile('^\s*\}' + RE_EOL)
 RE_PROFILE_CAP          = re.compile(RE_AUDIT_DENY + 'capability(?P<capability>(\s+\S+)+)?' + RE_COMMA_EOL)
 RE_PROFILE_LINK         = re.compile(RE_AUDIT_DENY + 'link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)' + RE_COMMA_EOL)
-RE_PROFILE_CHANGE_PROFILE = re.compile('^\s*change_profile\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
 RE_PROFILE_ALIAS        = re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)' + RE_COMMA_EOL)
-RE_PROFILE_RLIMIT       = re.compile('^\s*set\s+rlimit\s+(.+)\s+(<=)?\s*(.+)' + RE_COMMA_EOL)
+RE_PROFILE_RLIMIT       = re.compile('^\s*set\s+rlimit\s+(?P<rlimit>[a-z]+)\s*<=\s*(?P<value>[^ ]+)' + RE_COMMA_EOL)
 RE_PROFILE_BOOLEAN      = re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL, flags=re.IGNORECASE)
 RE_PROFILE_VARIABLE     = re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL)
 RE_PROFILE_CONDITIONAL  = re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL)
@@ -44,7 +43,7 @@ RE_PROFILE_BARE_FILE_ENTRY = re.compile(RE_AUDIT_DENY + RE_OWNER + 'file' + RE_C
 RE_PROFILE_PATH_ENTRY   = re.compile(RE_AUDIT_DENY + RE_OWNER + '(file\s+)?([\"@/].*?)\s+(\S+)(\s+->\s*(.*?))?' + RE_COMMA_EOL)
 RE_PROFILE_NETWORK      = re.compile(RE_AUDIT_DENY + 'network(?P<details>\s+.*)?' + RE_COMMA_EOL)
 RE_PROFILE_CHANGE_HAT   = re.compile('^\s*\^(\"??.+?\"??)' + RE_COMMA_EOL)
-RE_PROFILE_HAT_DEF      = re.compile('^\s*(\^|hat\s+)(?P<hat>\"??.+?\"??)\s+((flags=)?\((?P<flags>.+)\)\s+)*\{' + RE_EOL)
+RE_PROFILE_HAT_DEF      = re.compile('^(?P<leadingspace>\s*)(?P<hat_keyword>\^|hat\s+)(?P<hat>\"??.+?\"??)\s+((flags=)?\((?P<flags>.+)\)\s+)*\{' + RE_EOL)
 RE_PROFILE_DBUS         = re.compile(RE_AUDIT_DENY + '(dbus\s*,|dbus\s+[^#]*\s*,)' + RE_EOL)
 RE_PROFILE_MOUNT        = re.compile(RE_AUDIT_DENY + '((mount|remount|umount|unmount)(\s+[^#]*)?\s*,)' + RE_EOL)
 RE_PROFILE_SIGNAL       = re.compile(RE_AUDIT_DENY + '(signal\s*,|signal\s+[^#]*\s*,)' + RE_EOL)
@@ -69,9 +68,19 @@ RE_PROFILE_START          = re.compile(
         '|' + # or
         '(' + 'profile' + '\s+' + RE_PROFILE_NAME % 'namedprofile' + '(\s+' + RE_PROFILE_PATH % 'attachment' + ')?' + ')' + # 'profile', profile name, optionally attachment
     ')' +
-    '\s+((flags=)?\((?P<flags>.+)\)\s+)?\{' +
+    '\s+((flags\s*=\s*)?\((?P<flags>.+)\)\s*)?\{' +
     RE_EOL)
 
+
+RE_PROFILE_CHANGE_PROFILE = re.compile(
+    RE_AUDIT_DENY +
+    'change_profile' +
+    '(\s+' + RE_PROFILE_PATH % 'execcond' + ')?' +  # optionally exec condition
+    '(\s+->\s*' + RE_PROFILE_NAME % 'targetprofile' + ')?' +  # optionally '->' target profile
+    RE_COMMA_EOL)
+
+
+
 def parse_profile_start_line(line, filename):
     matches = RE_PROFILE_START.search(line)
 
@@ -103,6 +112,21 @@ def parse_profile_start_line(line, filename):
     return result
 
 
+RE_INCLUDE = re.compile('^\s*#?include\s*<(?P<magicpath>.*)>' + RE_EOL)
+
+def re_match_include(line):
+    """Matches the path for include and returns the include path"""
+    matches = RE_INCLUDE.search(line)
+
+    if not matches:
+        return None
+
+    if not matches.group('magicpath').strip():
+        raise AppArmorException(_('Syntax error: #include rule with empty filename'))
+
+    return matches.group('magicpath')
+
+
 def strip_quotes(data):
     if data[0] + data[-1] == '""':
         return data[1:-1]
diff --git a/utils/apparmor/rule/__init__.py b/utils/apparmor/rule/__init__.py
index 517c889c9..3150600dd 100644
--- a/utils/apparmor/rule/__init__.py
+++ b/utils/apparmor/rule/__init__.py
@@ -135,6 +135,42 @@ class BaseRule(object):
         '''compare if rule-specific variables are equal'''
         raise AppArmorBug("'%s' needs to implement is_equal_localvars(), but didn't" % (str(self)))
 
+    def severity(self, sev_db):
+        '''return severity of this rule, which can be:
+           - a number between 0 and 10, where 0 means harmless and 10 means critical,
+           - "unknown" (to be exact: the value specified for "unknown" as set when loading the severity database), or
+           - sev_db.NOT_IMPLEMENTED if no severity check is implemented for this rule type.
+           sev_db must be an apparmor.severity.Severity object.'''
+        return sev_db.NOT_IMPLEMENTED
+
+    def logprof_header(self):
+        '''return the headers (human-readable version of the rule) to display in aa-logprof for this rule object
+           returns {'label1': 'value1', 'label2': 'value2'} '''
+
+        headers = []
+        qualifier = []
+
+        if self.audit:
+            qualifier += ['audit']
+
+        if self.deny:
+            qualifier += ['deny']
+        elif self.allow_keyword:
+            qualifier += ['allow']
+
+        if qualifier:
+            headers += [_('Qualifier'), ' '.join(qualifier)]
+
+        headers += self.logprof_header_localvars()
+
+        return headers
+
+    # @abstractmethod  FIXME - uncomment when python3 only
+    def logprof_header_localvars(self):
+        '''return the headers (human-readable version of the rule) to display in aa-logprof for this rule object
+           returns {'label1': 'value1', 'label2': 'value2'} '''
+        raise AppArmorBug("'%s' needs to implement logprof_header(), but didn't" % (str(self)))
+
     def modifiers_str(self):
         '''return the allow/deny and audit keyword as string, including whitespace'''
 
@@ -290,6 +326,14 @@ class BaseRuleset(object):
         raise AppArmorBug("get_glob_ext is not available for this rule type!")
 
 
+def parse_comment(matches):
+    '''returns the comment (with a leading space) from the matches object'''
+    comment = ''
+    if matches.group('comment'):
+        # include a space so that we don't need to add it everywhere when writing the rule
+        comment = ' %s' % matches.group('comment')
+    return comment
+
 def parse_modifiers(matches):
     '''returns audit, deny, allow_keyword and comment from the matches object
        - audit, deny and allow_keyword are True/False
@@ -310,10 +354,7 @@ def parse_modifiers(matches):
         else:
             raise AppArmorBug("Invalid allow/deny keyword %s" % allowstr)
 
-    comment = ''
-    if matches.group('comment'):
-        # include a space so that we don't need to add it everywhere when writing the rule
-        comment = ' %s' % matches.group('comment')
+    comment = parse_comment(matches)
 
     return (audit, deny, allow_keyword, comment)
 
diff --git a/utils/apparmor/rule/capability.py b/utils/apparmor/rule/capability.py
index 85f1de048..6439ac001 100644
--- a/utils/apparmor/rule/capability.py
+++ b/utils/apparmor/rule/capability.py
@@ -126,6 +126,31 @@ class CapabilityRule(BaseRule):
 
         return True
 
+    def severity(self, sev_db):
+        if self.all_caps:
+            severity = sev_db.rank_capability('__ALL__')
+        else:
+            severity = -1
+            for cap in self.capability:
+                sev = sev_db.rank_capability(cap)
+                if isinstance(sev, int):  # type check avoids breakage caused by 'unknown'
+                    severity = max(severity, sev)
+
+        if severity == -1:
+            severity = sev  # effectively 'unknown'
+
+        return severity
+
+    def logprof_header_localvars(self):
+        if self.all_caps:
+            cap_txt = _('ALL')
+        else:
+            cap_txt = ' '.join(sorted(self.capability))
+
+        return [
+            _('Capability'), cap_txt,
+        ]
+
 
 class CapabilityRuleset(BaseRuleset):
     '''Class to handle and store a collection of capability rules'''
diff --git a/utils/apparmor/rule/change_profile.py b/utils/apparmor/rule/change_profile.py
new file mode 100644
index 000000000..8fd146b5f
--- /dev/null
+++ b/utils/apparmor/rule/change_profile.py
@@ -0,0 +1,187 @@
+#!/usr/bin/env python
+# ----------------------------------------------------------------------
+#    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
+#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License as published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+# ----------------------------------------------------------------------
+
+from apparmor.regex import RE_PROFILE_CHANGE_PROFILE, strip_quotes
+from apparmor.common import AppArmorBug, AppArmorException
+from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, quote_if_needed
+
+# setup module translations
+from apparmor.translations import init_translation
+_ = init_translation()
+
+
+class ChangeProfileRule(BaseRule):
+    '''Class to handle and store a single change_profile rule'''
+
+    # Nothing external should reference this class, all external users
+    # should reference the class field ChangeProfileRule.ALL
+    class __ChangeProfileAll(object):
+        pass
+
+    ALL = __ChangeProfileAll
+
+    def __init__(self, execcond, targetprofile, audit=False, deny=False, allow_keyword=False,
+                 comment='', log_event=None):
+
+        '''
+            CHANGE_PROFILE RULE = 'change_profile' [ EXEC COND ] [ -> PROGRAMCHILD ]
+        '''
+
+        super(ChangeProfileRule, self).__init__(audit=audit, deny=deny,
+                                             allow_keyword=allow_keyword,
+                                             comment=comment,
+                                             log_event=log_event)
+
+        self.execcond = None
+        self.all_execconds = False
+        if execcond == ChangeProfileRule.ALL:
+            self.all_execconds = True
+        elif type(execcond) == str:
+            if not execcond.strip():
+                raise AppArmorBug('Empty exec condition in change_profile rule')
+            elif execcond.startswith('/') or execcond.startswith('@'):
+                self.execcond = execcond
+            else:
+                raise AppArmorException('Exec condition in change_profile rule does not start with /: %s' % str(execcond))
+        else:
+            raise AppArmorBug('Passed unknown object to ChangeProfileRule: %s' % str(execcond))
+
+        self.targetprofile = None
+        self.all_targetprofiles = False
+        if targetprofile == ChangeProfileRule.ALL:
+            self.all_targetprofiles = True
+        elif type(targetprofile) == str:
+            if targetprofile.strip():
+                self.targetprofile = targetprofile
+            else:
+                raise AppArmorBug('Empty target profile in change_profile rule')
+        else:
+            raise AppArmorBug('Passed unknown object to ChangeProfileRule: %s' % str(targetprofile))
+
+    @classmethod
+    def _match(cls, raw_rule):
+        return RE_PROFILE_CHANGE_PROFILE.search(raw_rule)
+
+    @classmethod
+    def _parse(cls, raw_rule):
+        '''parse raw_rule and return ChangeProfileRule'''
+
+        matches = cls._match(raw_rule)
+        if not matches:
+            raise AppArmorException(_("Invalid change_profile rule '%s'") % raw_rule)
+
+        audit, deny, allow_keyword, comment = parse_modifiers(matches)
+
+        if matches.group('execcond'):
+            execcond = strip_quotes(matches.group('execcond'))
+        else:
+            execcond = ChangeProfileRule.ALL
+
+        if matches.group('targetprofile'):
+            targetprofile = strip_quotes(matches.group('targetprofile'))
+        else:
+            targetprofile = ChangeProfileRule.ALL
+
+        return ChangeProfileRule(execcond, targetprofile,
+                           audit=audit, deny=deny, allow_keyword=allow_keyword, comment=comment)
+
+    def get_clean(self, depth=0):
+        '''return rule (in clean/default formatting)'''
+
+        space = '  ' * depth
+
+        if self.all_execconds:
+            execcond = ''
+        elif self.execcond:
+            execcond = ' %s' % quote_if_needed(self.execcond)
+        else:
+            raise AppArmorBug('Empty execcond in change_profile rule')
+
+        if self.all_targetprofiles:
+            targetprofile = ''
+        elif self.targetprofile:
+            targetprofile = ' -> %s' % quote_if_needed(self.targetprofile)
+        else:
+            raise AppArmorBug('Empty target profile in change_profile rule')
+
+        return('%s%schange_profile%s%s,%s' % (space, self.modifiers_str(), execcond, targetprofile, self.comment))
+
+    def is_covered_localvars(self, other_rule):
+        '''check if other_rule is covered by this rule object'''
+
+        if not other_rule.execcond and not other_rule.all_execconds:
+            raise AppArmorBug('No execcond specified in other change_profile rule')
+
+        if not other_rule.targetprofile and not other_rule.all_targetprofiles:
+            raise AppArmorBug('No target profile specified in other change_profile rule')
+
+        if not self.all_execconds:
+            if other_rule.all_execconds:
+                return False
+            if other_rule.execcond != self.execcond:
+                # TODO: honor globbing and variables
+                return False
+
+        if not self.all_targetprofiles:
+            if other_rule.all_targetprofiles:
+                return False
+            if other_rule.targetprofile != self.targetprofile:
+                return False
+
+        # still here? -> then it is covered
+        return True
+
+    def is_equal_localvars(self, rule_obj):
+        '''compare if rule-specific variables are equal'''
+
+        if not type(rule_obj) == ChangeProfileRule:
+            raise AppArmorBug('Passed non-change_profile rule: %s' % str(rule_obj))
+
+        if (self.execcond != rule_obj.execcond
+                or self.all_execconds != rule_obj.all_execconds):
+            return False
+
+        if (self.targetprofile != rule_obj.targetprofile
+                or self.all_targetprofiles != rule_obj.all_targetprofiles):
+            return False
+
+        return True
+
+    def logprof_header_localvars(self):
+        if self.all_execconds:
+            execcond_txt = _('ALL')
+        else:
+            execcond_txt = self.execcond
+
+        if self.all_targetprofiles:
+            targetprofiles_txt = _('ALL')
+        else:
+            targetprofiles_txt = self.targetprofile
+
+        return [
+            _('Exec Condition'), execcond_txt,
+            _('Target Profile'), targetprofiles_txt,
+        ]
+
+class ChangeProfileRuleset(BaseRuleset):
+    '''Class to handle and store a collection of change_profile rules'''
+
+    def get_glob(self, path_or_rule):
+        '''Return the next possible glob. For change_profile rules, that can be "change_profile EXECCOND,",
+           "change_profile -> TARGET_PROFILE," or "change_profile," (all change_profile).
+           Also, EXECCOND filename can be globbed'''
+        # XXX implement all options mentioned above ;-)
+        return 'change_profile,'
diff --git a/utils/apparmor/rule/network.py b/utils/apparmor/rule/network.py
index 21cc95eb2..9ce90dce3 100644
--- a/utils/apparmor/rule/network.py
+++ b/utils/apparmor/rule/network.py
@@ -39,12 +39,10 @@ RE_NETWORK_TYPE     = '(' + '|'.join(network_type_keywords) + ')'
 RE_NETWORK_PROTOCOL = '(' + '|'.join(network_protocol_keywords) + ')'
 
 RE_NETWORK_DETAILS  = re.compile(
-    '^\s*(' +
-        '(?P<domain>' + RE_NETWORK_DOMAIN + ')' + # domain and ...
-            '(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' + # ... optional type or protocol
-        '|' + # or
-        '(?P<protocol>' + RE_NETWORK_PROTOCOL + ')' + # protocol only
-    ')\s*$')
+    '^\s*' +
+    '(?P<domain>' + RE_NETWORK_DOMAIN + ')?' +  # optional domain
+    '(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' +  # optional type or protocol
+    '\s*$')
 
 
 class NetworkRule(BaseRule):
@@ -60,10 +58,6 @@ class NetworkRule(BaseRule):
     def __init__(self, domain, type_or_protocol, audit=False, deny=False, allow_keyword=False,
                  comment='', log_event=None):
 
-        '''
-           NETWORK RULE = 'network' [ [ DOMAIN [ TYPE | PROTOCOL ] ] | [ PROTOCOL ] ] ','
-        '''
-
         super(NetworkRule, self).__init__(audit=audit, deny=deny,
                                              allow_keyword=allow_keyword,
                                              comment=comment,
@@ -89,8 +83,6 @@ class NetworkRule(BaseRule):
             if type_or_protocol in network_protocol_keywords:
                 self.type_or_protocol = type_or_protocol
             elif type_or_protocol in network_type_keywords:
-                if self.all_domains:
-                    raise AppArmorException('Passing type %s to NetworkRule without specifying a domain keyword is not allowed' % type_or_protocol)
                 self.type_or_protocol = type_or_protocol
             else:
                 raise AppArmorBug('Passed unknown type_or_protocol to NetworkRule: %s' % type_or_protocol)
@@ -113,7 +105,7 @@ class NetworkRule(BaseRule):
 
         rule_details = ''
         if matches.group('details'):
-            rule_details = matches.group('details').strip()
+            rule_details = matches.group('details')
 
         if rule_details:
             details = RE_NETWORK_DETAILS.search(rule_details)
@@ -127,8 +119,6 @@ class NetworkRule(BaseRule):
 
             if details.group('type_or_protocol'):
                 type_or_protocol = details.group('type_or_protocol')
-            elif details.group('protocol'):
-                type_or_protocol = details.group('protocol')
             else:
                 type_or_protocol = NetworkRule.ALL
         else:
@@ -199,6 +189,22 @@ class NetworkRule(BaseRule):
 
         return True
 
+    def logprof_header_localvars(self):
+        if self.all_domains:
+            family = _('ALL')
+        else:
+            family = self.domain
+
+        if self.all_type_or_protocols:
+            sock_type = _('ALL')
+        else:
+            sock_type = self.type_or_protocol
+
+        return [
+            _('Network Family'), family,
+            _('Socket Type'),    sock_type,
+        ]
+
 
 class NetworkRuleset(BaseRuleset):
     '''Class to handle and store a collection of network rules'''
diff --git a/utils/apparmor/rule/rlimit.py b/utils/apparmor/rule/rlimit.py
new file mode 100644
index 000000000..f38b0672a
--- /dev/null
+++ b/utils/apparmor/rule/rlimit.py
@@ -0,0 +1,267 @@
+#!/usr/bin/env python
+# ----------------------------------------------------------------------
+#    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
+#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License as published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+# ----------------------------------------------------------------------
+
+import re
+
+from apparmor.regex import RE_PROFILE_RLIMIT, strip_quotes
+from apparmor.common import AppArmorBug, AppArmorException
+from apparmor.rule import BaseRule, BaseRuleset, parse_comment, quote_if_needed
+
+# setup module translations
+from apparmor.translations import init_translation
+_ = init_translation()
+
+rlimit_size     = ['fsize', 'data', 'stack', 'core', 'rss', 'as', 'memlock', 'msgqueue']  # NUMBER ( 'K' | 'M' | 'G' )
+rlimit_number   = ['ofile', 'nofile', 'locks', 'sigpending', 'nproc', 'rtprio']
+rlimit_time     = ['cpu', 'rttime']  # number + time unit (cpu in seconds+, rttime in us+)
+rlimit_nice     = ['nice']  # a number between -20 and 19.
+
+rlimit_all      = rlimit_size + rlimit_number + rlimit_time + rlimit_nice
+
+RE_NUMBER_UNIT  = re.compile('^(?P<number>[0-9]+)(?P<unit>[a-zA-Z]*)$')
+RE_NUMBER       = re.compile('^[0-9]+$')
+RE_UNIT_SIZE    = re.compile('^[0-9]+([KMG]B?)?$')
+RE_NICE         = re.compile('^(-20|-[01]?[0-9]|[01]?[0-9])$')
+
+
+class RlimitRule(BaseRule):
+    '''Class to handle and store a single rlimit rule'''
+
+    # Nothing external should reference this class, all external users
+    # should reference the class field RlimitRule.ALL
+    class __RlimitAll(object):
+        pass
+
+    ALL = __RlimitAll
+
+    def __init__(self, rlimit, value, audit=False, deny=False, allow_keyword=False,
+                 comment='', log_event=None):
+
+        super(RlimitRule, self).__init__(audit=audit, deny=deny,
+                                             allow_keyword=allow_keyword,
+                                             comment=comment,
+                                             log_event=log_event)
+
+        if audit or deny or allow_keyword:
+            raise AppArmorBug('The audit, allow or deny keywords are not allowed in rlimit rules.')
+
+        if type(rlimit) == str:
+            if rlimit in rlimit_all:
+                self.rlimit = rlimit
+            else:
+                raise AppArmorException('Unknown rlimit keyword in rlimit rule: %s' % rlimit)
+        else:
+            raise AppArmorBug('Passed unknown object to RlimitRule: %s' % str(rlimit))
+
+        self.value = None
+        self.value_as_int = None
+        self.all_values = False
+        if value == RlimitRule.ALL:
+            self.all_values = True
+        elif type(value) == str:
+            if not value.strip():
+                raise AppArmorBug('Empty value in rlimit rule')
+
+            elif rlimit in rlimit_size:
+                if not RE_UNIT_SIZE.match(value):
+                    raise AppArmorException('Invalid value or unit in rlimit %s %s rule' % (rlimit, value))
+                self.value_as_int = self.size_to_int(value)
+
+            elif rlimit in rlimit_number:
+                if not RE_NUMBER.match(value):
+                    raise AppArmorException('Invalid value in rlimit %s %s rule' % (rlimit, value))
+                self.value_as_int = int(value)
+
+            elif rlimit in rlimit_time:
+                if not RE_NUMBER_UNIT.match(value):
+                    raise AppArmorException('Invalid value in rlimit %s %s rule' % (rlimit, value))
+                number, unit = split_unit(value)
+                if unit == 'm' and rlimit == 'rttime':
+                    raise AppArmorException('Ambiguous value %s in rlimit %s rule - use "ms" or "minutes"' % (value, rlimit))
+                if unit != '' and not ('seconds'.startswith(unit) or 'minutes'.startswith(unit) or 'hours'.startswith(unit) or
+                        (rlimit == 'rttime' and unit in ['ms', 'us']) ):
+                    raise AppArmorException('Invalid unit in rlimit %s %s rule' % (rlimit, value))
+
+                if rlimit == 'rttime':
+                    self.value_as_int = self.time_to_int(value, 'us')
+                else:
+                    self.value_as_int = self.time_to_int(value, 'seconds')
+
+            elif rlimit in rlimit_nice:
+                if not RE_NICE.match(value):
+                    raise AppArmorException('Invalid value or unit in rlimit %s %s rule' % (rlimit, value))
+                self.value_as_int = 0 - int(value)  # lower numbers mean a higher limit for nice
+
+            # still here? fine :-)
+            self.value = value
+        else:
+            raise AppArmorBug('Passed unknown object to RlimitRule: %s' % str(value))
+
+    @classmethod
+    def _match(cls, raw_rule):
+        return RE_PROFILE_RLIMIT.search(raw_rule)
+
+    @classmethod
+    def _parse(cls, raw_rule):
+        '''parse raw_rule and return RlimitRule'''
+
+        matches = cls._match(raw_rule)
+        if not matches:
+            raise AppArmorException(_("Invalid rlimit rule '%s'") % raw_rule)
+
+        comment = parse_comment(matches)
+
+        if matches.group('rlimit'):
+            rlimit = strip_quotes(matches.group('rlimit'))
+        else:
+            raise AppArmorException(_("Invalid rlimit rule '%s' - keyword missing") % raw_rule)
+
+        if matches.group('value'):
+            if matches.group('value') == 'infinity':
+                value = RlimitRule.ALL
+            else:
+                value = strip_quotes(matches.group('value'))
+        else:
+            raise AppArmorException(_("Invalid rlimit rule '%s' - value missing") % raw_rule)
+
+        return RlimitRule(rlimit, value,
+                           comment=comment)
+
+    def get_clean(self, depth=0):
+        '''return rule (in clean/default formatting)'''
+
+        space = '  ' * depth
+
+        if self.rlimit:
+            rlimit = ' %s' % quote_if_needed(self.rlimit)
+        else:
+            raise AppArmorBug('Empty rlimit in rlimit rule')
+
+        if self.all_values:
+            value = ' <= infinity'
+        elif self.value:
+            value = ' <= %s' % quote_if_needed(self.value)
+        else:
+            raise AppArmorBug('Empty value in rlimit rule')
+
+        return('%s%sset rlimit%s%s,%s' % (space, self.modifiers_str(), rlimit, value, self.comment))
+
+    def size_to_int(self, value):
+        number, unit = split_unit(value)
+
+        if unit == '':
+            pass
+        elif unit == 'K' or unit == 'KB':
+            number = number * 1024
+        elif unit == 'M' or unit == 'MB':
+            number = number * 1024 * 1024
+        elif unit == 'G' or unit == 'GB':
+            number = number * 1024 * 1024 * 1024
+        else:
+            raise AppArmorException('Unknown unit %s in rlimit %s %s' % (unit, self.rlimit, value))
+
+        return number
+
+    def time_to_int(self, value, default_unit):
+        number, unit = split_unit(value)
+
+        if unit == '':
+            unit = default_unit
+
+        if unit == 'us':
+            number = number / 1000000.0
+        elif unit == 'ms':
+            number = number / 1000.0
+        elif 'seconds'.startswith(unit):
+            pass
+        elif 'minutes'.startswith(unit):
+            number = number * 60
+        elif 'hours'.startswith(unit):
+            number = number * 60 * 60
+        else:
+            raise AppArmorException('Unknown unit %s in rlimit %s %s' % (unit, self.rlimit, value))
+
+        return number
+
+    def is_covered_localvars(self, other_rule):
+        '''check if other_rule is covered by this rule object'''
+
+        if not other_rule.rlimit:
+            raise AppArmorBug('No rlimit specified in other rlimit rule')
+
+        if not other_rule.value and not other_rule.all_values:
+            raise AppArmorBug('No target profile specified in other rlimit rule')
+
+        if other_rule.rlimit != self.rlimit:
+            return False
+
+        if not self.all_values:
+            if other_rule.all_values:
+                return False
+            if other_rule.value_as_int > self.value_as_int:
+                return False
+
+        # still here? -> then it is covered
+        return True
+
+    def is_equal_localvars(self, rule_obj):
+        '''compare if rule-specific variables are equal'''
+
+        if not type(rule_obj) == RlimitRule:
+            raise AppArmorBug('Passed non-rlimit rule: %s' % str(rule_obj))
+
+        if (self.rlimit != rule_obj.rlimit):
+            return False
+
+        if (self.value_as_int != rule_obj.value_as_int
+                or self.all_values != rule_obj.all_values):
+            return False
+
+        return True
+
+    def logprof_header_localvars(self):
+        rlimit_txt = self.rlimit
+
+        if self.all_values:
+            values_txt = 'infinity'
+        else:
+            values_txt = self.value
+
+        return [
+            _('Rlimit'), rlimit_txt,
+            _('Value'),  values_txt,
+        ]
+
+class RlimitRuleset(BaseRuleset):
+    '''Class to handle and store a collection of rlimit rules'''
+
+    def get_glob(self, path_or_rule):
+        '''Return the next possible glob. For rlimit rules, that can mean changing the value to 'infinity' '''
+        # XXX implement all options mentioned above ;-)
+        raise AppArmorBug('get_glob() is not (yet) available for this rule type')
+
+
+def split_unit(value):
+    matches = RE_NUMBER_UNIT.match(value)
+    if not matches:
+        raise AppArmorBug("Invalid value given to split_unit: %s" % value)
+
+    number = int(matches.group('number'))
+    unit = matches.group('unit') or ''
+
+    return number, unit
+
+
diff --git a/utils/apparmor/severity.py b/utils/apparmor/severity.py
index 07d8bbd36..569d5a9dc 100644
--- a/utils/apparmor/severity.py
+++ b/utils/apparmor/severity.py
@@ -15,11 +15,13 @@ from __future__ import with_statement
 import os
 import re
 from apparmor.common import AppArmorException, open_file_read, warn, convert_regexp  # , msg, error, debug
+from apparmor.regex import re_match_include
 
 class Severity(object):
     def __init__(self, dbname=None, default_rank=10):
         """Initialises the class object"""
         self.PROF_DIR = '/etc/apparmor.d'  # The profile directory
+        self.NOT_IMPLEMENTED = '_-*not*implemented*-_'  # used for rule types that don't have severity ratings
         self.severity = dict()
         self.severity['DATABASENAME'] = dbname
         self.severity['CAPABILITIES'] = {}
@@ -75,9 +77,11 @@ class Severity(object):
                 else:
                     raise AppArmorException("Unexpected line in file: %s\n\t[Line %s]: %s" % (dbname, lineno, line))
 
-    def handle_capability(self, resource):
+    def rank_capability(self, resource):
         """Returns the severity of for the capability resource, default value if no match"""
-        cap = resource.upper()
+        cap = 'CAP_%s' % resource.upper()
+        if resource == '__ALL__':
+            return max(self.severity['CAPABILITIES'].values())
         if cap in self.severity['CAPABILITIES'].keys():
             return self.severity['CAPABILITIES'][cap]
         # raise ValueError("unexpected capability rank input: %s"%resource)
@@ -136,23 +140,24 @@ class Severity(object):
         elif resource[0] == '/':    # file resource
             return self.handle_file(resource, mode)
         elif resource[0:4] == 'CAP_':    # capability resource
-            return self.handle_capability(resource)
+            return self.rank_capability(resource[4:])
         else:
             raise AppArmorException("Unexpected rank input: %s" % resource)
 
     def handle_variable_rank(self, resource, mode):
         """Returns the max possible rank for file resources containing variables"""
         regex_variable = re.compile('@{([^{.]*)}')
-        rank = None
         matches = regex_variable.search(resource)
         if matches:
+            rank = self.severity['DEFAULT_RANK']
             variable = '@{%s}' % matches.groups()[0]
             #variables = regex_variable.findall(resource)
             for replacement in self.severity['VARIABLES'][variable]:
                 resource_replaced = self.variable_replace(variable, replacement, resource)
                 rank_new = self.handle_variable_rank(resource_replaced, mode)
-                #rank_new = self.handle_variable_rank(resource.replace('@{'+variable+'}', replacement), mode)
-                if rank is None or rank_new > rank:
+                if rank == self.severity['DEFAULT_RANK']:
+                    rank = rank_new
+                elif rank_new != self.severity['DEFAULT_RANK'] and rank_new > rank:
                     rank = rank_new
             return rank
         else:
@@ -175,16 +180,14 @@ class Severity(object):
 
     def load_variables(self, prof_path):
         """Loads the variables for the given profile"""
-        regex_include = re.compile('^#?include\s*<(\S*)>')
         if os.path.isfile(prof_path):
             with open_file_read(prof_path) as f_in:
                 for line in f_in:
                     line = line.strip()
                     # If any includes, load variables from them first
-                    match = regex_include.search(line)
+                    match = re_match_include(line)
                     if match:
-                        new_path = match.groups()[0]
-                        new_path = self.PROF_DIR + '/' + new_path
+                        new_path = self.PROF_DIR + '/' + match
                         self.load_variables(new_path)
                     else:
                         # Remove any comments
diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py
index 87bc58d14..1eac5ef94 100644
--- a/utils/apparmor/tools.py
+++ b/utils/apparmor/tools.py
@@ -29,6 +29,7 @@ class aa_tools:
         self.profiling = args.program
         self.check_profile_dir()
         self.silent = None
+        self.do_reload = args.do_reload
 
         if tool_name in ['audit']:
             self.remove = args.remove
@@ -56,7 +57,7 @@ class aa_tools:
 
             program = None
             profile = None
-            if os.path.exists(p):
+            if os.path.exists(p) or p.startswith('/'):
                 fq_path = apparmor.get_full_path(p).strip()
                 if os.path.commonprefix([apparmor.profile_dir, fq_path]) == apparmor.profile_dir:
                     program = None
@@ -183,6 +184,11 @@ class aa_tools:
                 aaui.UI_Info(_('Removing audit mode from %s.') % output_name)
             apparmor.change_profile_flags(profile, program, 'audit', not self.remove)
 
+            disable_link = '%s/disable/%s' % (apparmor.profile_dir, os.path.basename(profile))
+
+            if os.path.exists(disable_link):
+                aaui.UI_Info(_('\nWarning: the profile %s is disabled. Use aa-enforce or aa-complain to enable it.') % os.path.basename(profile))
+
             self.reload_profile(profile)
 
     def cmd_autodep(self):
@@ -226,14 +232,14 @@ class aa_tools:
                     ans, arg = q.promptUser()
                     if ans == 'CMD_SAVE_CHANGES':
                         apparmor.write_profile_ui_feedback(program)
-                        apparmor.reload_base(program)
+                        self.reload_profile(filename)
                     elif ans == 'CMD_VIEW_CHANGES':
                         #oldprofile = apparmor.serialize_profile(apparmor.original_aa[program], program, '')
                         newprofile = apparmor.serialize_profile(apparmor.aa[program], program, '')
                         apparmor.display_changes_with_comments(filename, newprofile)
             else:
                 apparmor.write_profile_ui_feedback(program)
-                apparmor.reload_base(program)
+                self.reload_profile(filename)
         else:
             raise apparmor.AppArmorException(_('The profile for %s does not exists. Nothing to clean.') % program)
 
@@ -244,6 +250,9 @@ class aa_tools:
         apparmor.create_symlink('disable', filename)
 
     def unload_profile(self, profile):
+        if not self.do_reload:
+            return
+
         # FIXME: should ensure profile is loaded before unloading
         cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-R', profile])
 
@@ -251,6 +260,9 @@ class aa_tools:
             raise apparmor.AppArmorException(cmd_info[1])
 
     def reload_profile(self, profile):
+        if not self.do_reload:
+            return
+
         cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-r', profile])
 
         if cmd_info[0] != 0:
diff --git a/utils/test/cleanprof_test.in b/utils/test/cleanprof_test.in
index 200652577..6fd88b6bb 100644
--- a/utils/test/cleanprof_test.in
+++ b/utils/test/cleanprof_test.in
@@ -7,6 +7,15 @@
 	#Below rule comes from abstractions/base
 	allow /usr/share/X11/locale/**  r,
 	allow /home/*/** r,
+
+    ^foo {
+            /etc/fstab r,
+        capability dac_override,
+        }
+
+    ^foo, # hat declarations are obsolete and will be removed when aa-cleanprof or aa-logprof writes the profile
+
+
 	allow /home/foo/bar r,
 	allow /home/foo/** w,
 }
@@ -16,4 +25,4 @@
 	# However this comment will be wiped, need to change that
 	allow /home/*/** rw,
 	allow /home/foo/bar r,
-}
\ No newline at end of file
+}
diff --git a/utils/test/cleanprof_test.out b/utils/test/cleanprof_test.out
index db102c135..9238ab171 100644
--- a/utils/test/cleanprof_test.out
+++ b/utils/test/cleanprof_test.out
@@ -9,6 +9,13 @@
   /home/*/** r,
   /home/foo/** w,
 
+
+  ^foo {
+    capability dac_override,
+
+    /etc/fstab r,
+
+  }
 }
 /usr/bin/other/cleanprof/test/profile {
   /home/*/** rw,
diff --git a/utils/test/common_test.py b/utils/test/common_test.py
index b5223fd09..1f48082c3 100755
--- a/utils/test/common_test.py
+++ b/utils/test/common_test.py
@@ -16,7 +16,9 @@ import unittest
 import inspect
 import os
 import re
+import shutil
 import sys
+import tempfile
 
 import apparmor.common
 import apparmor.config
@@ -47,7 +49,26 @@ class AATest(unittest.TestCase):
         '''override this function if a test needs additional setup steps (instead of overriding setUp())'''
         pass
 
+    def tearDown(self):
+        if self.tmpdir and os.path.exists(self.tmpdir):
+            shutil.rmtree(self.tmpdir)
+
+        self.AATeardown()
+
+    def AATeardown(self):
+        '''override this function if a test needs additional teardown steps (instead of overriding tearDown())'''
+        pass
+
+    def createTmpdir(self):
+        self.tmpdir = tempfile.mkdtemp(prefix='aa-test-')
+
+    def writeTmpfile(self, file, contents):
+        if not self.tmpdir:
+            self.createTmpdir()
+        return write_file(self.tmpdir, file, contents)
+
     tests = []
+    tmpdir = None
 
 class AAParseTest(unittest.TestCase):
     parse_function = None
diff --git a/utils/test/minitools_test.py b/utils/test/minitools_test.py
index 577d4506f..7de136744 100755
--- a/utils/test/minitools_test.py
+++ b/utils/test/minitools_test.py
@@ -11,92 +11,118 @@
 #    GNU General Public License for more details.
 #
 # ----------------------------------------------------------------------
-import atexit
 import os
 import shutil
 import subprocess
 import sys
 import unittest
-import filecmp
+from common_test import AATest, setup_all_loops
 
 import apparmor.aa as apparmor
-
-# Path for the program
-test_path = '/usr/sbin/ntpd'
-# Path for the target file containing profile
-local_profilename = './profiles/usr.sbin.ntpd'
+from common_test import read_file
 
 python_interpreter = 'python'
 if sys.version_info >= (3, 0):
     python_interpreter = 'python3'
 
-class Test(unittest.TestCase):
+class MinitoolsTest(AATest):
+
+    def AASetup(self):
+        self.createTmpdir()
+
+        #copy the local profiles to the test directory
+        #Should be the set of cleanprofile
+        self.profile_dir = '%s/profiles' % self.tmpdir
+        shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
+
+        apparmor.profile_dir = self.profile_dir
+
+        # Path for the program
+        self.test_path = '/usr/sbin/winbindd'
+        # Path for the target file containing profile
+        self.local_profilename = '%s/usr.sbin.winbindd' % self.profile_dir
 
     def test_audit(self):
-        #Set ntpd profile to audit mode and check if it was correctly set
-        str(subprocess.check_output('%s ./../aa-audit -d ./profiles %s'%(python_interpreter, test_path), shell=True))
+        # Set test profile to audit mode and check if it was correctly set
+        str(subprocess.check_output('%s ./../aa-audit --no-reload -d %s %s' % (python_interpreter, self.profile_dir, self.test_path), shell=True))
 
-        self.assertEqual(apparmor.get_profile_flags(local_profilename, test_path), 'audit', 'Audit flag could not be set in profile %s'%local_profilename)
+        self.assertEqual(apparmor.get_profile_flags(self.local_profilename, self.test_path), 'audit',
+                'Audit flag could not be set in profile %s' % self.local_profilename)
 
-        #Remove audit mode from ntpd profile and check if it was correctly removed
-        subprocess.check_output('%s ./../aa-audit -d ./profiles -r %s'%(python_interpreter, test_path), shell=True)
+        # Remove audit mode from test profile and check if it was correctly removed
+        subprocess.check_output('%s ./../aa-audit --no-reload -d %s -r %s' % (python_interpreter, self.profile_dir, self.test_path), shell=True)
 
-        self.assertEqual(apparmor.get_profile_flags(local_profilename, test_path), None, 'Audit flag could not be removed in profile %s'%local_profilename)
+        self.assertEqual(apparmor.get_profile_flags(self.local_profilename, self.test_path), None,
+                'Audit flag could not be removed in profile %s' % self.local_profilename)
 
 
     def test_complain(self):
-        #Set ntpd profile to complain mode and check if it was correctly set
-        subprocess.check_output('%s ./../aa-complain -d ./profiles %s'%(python_interpreter, test_path), shell=True)
-       
+        # Set test profile to complain mode and check if it was correctly set
+        subprocess.check_output('%s ./../aa-complain --no-reload -d %s %s' % (python_interpreter, self.profile_dir, self.test_path), shell=True)
+
         # "manually" create a force-complain symlink (will be deleted by aa-enforce later)
-        os.mkdir('./profiles/force-complain')
-        os.symlink(local_profilename, './profiles/force-complain/%s'%os.path.basename(local_profilename) )
+        force_complain_dir = '%s/force-complain' % self.profile_dir
+        if not os.path.isdir(force_complain_dir):
+            os.mkdir(force_complain_dir)
+        os.symlink(self.local_profilename, '%s/%s' % (force_complain_dir, os.path.basename(self.local_profilename)))
 
-        self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)), True, 'Failed to create a symlink for %s in force-complain'%local_profilename)
-        self.assertEqual(apparmor.get_profile_flags(local_profilename, test_path), 'complain', 'Complain flag could not be set in profile %s'%local_profilename)
+        self.assertEqual(os.path.islink('%s/%s' % (force_complain_dir, os.path.basename(self.local_profilename))), True,
+                'Failed to create a symlink for %s in force-complain' % self.local_profilename)
+        self.assertEqual(apparmor.get_profile_flags(self.local_profilename, self.test_path), 'complain',
+                'Complain flag could not be set in profile %s'%self.local_profilename)
 
-        #Set ntpd profile to enforce mode and check if it was correctly set
-        subprocess.check_output('%s ./../aa-enforce -d ./profiles %s'%(python_interpreter, test_path), shell=True)
+        # Set test profile to enforce mode and check if it was correctly set
+        subprocess.check_output('%s ./../aa-enforce --no-reload -d %s %s'%(python_interpreter, self.profile_dir, self.test_path), shell=True)
 
-        self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)), False, 'Failed to remove symlink for %s from force-complain'%local_profilename)
-        self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)), False, 'Failed to remove symlink for %s from disable'%local_profilename)
-        self.assertEqual(apparmor.get_profile_flags(local_profilename, test_path), None, 'Complain flag could not be removed in profile %s'%local_profilename)
+        self.assertEqual(os.path.islink('%s/%s' % (force_complain_dir, os.path.basename(self.local_profilename))), False,
+                'Failed to remove symlink for %s from force-complain'%self.local_profilename)
+        self.assertEqual(os.path.islink('%s/disable/%s' % (self.profile_dir, os.path.basename(self.local_profilename))), False,
+                'Failed to remove symlink for %s from disable'%self.local_profilename)
+        self.assertEqual(apparmor.get_profile_flags(self.local_profilename, self.test_path), None,
+                'Complain flag could not be removed in profile %s'%self.local_profilename)
 
         # Set audit flag and then complain flag in a profile
-        subprocess.check_output('%s ./../aa-audit -d ./profiles %s'%(python_interpreter, test_path), shell=True)
-        subprocess.check_output('%s ./../aa-complain -d ./profiles %s'%(python_interpreter, test_path), shell=True)
+        subprocess.check_output('%s ./../aa-audit --no-reload -d %s %s'%(python_interpreter, self.profile_dir, self.test_path), shell=True)
+        subprocess.check_output('%s ./../aa-complain --no-reload -d %s %s'%(python_interpreter, self.profile_dir, self.test_path), shell=True)
         # "manually" create a force-complain symlink (will be deleted by aa-enforce later)
-        os.symlink(local_profilename, './profiles/force-complain/%s'%os.path.basename(local_profilename) )
+        os.symlink(self.local_profilename, '%s/%s'% (force_complain_dir, os.path.basename(self.local_profilename)))
 
-        self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)), True, 'Failed to create a symlink for %s in force-complain'%local_profilename)
-        self.assertEqual(apparmor.get_profile_flags(local_profilename, test_path), 'audit,complain', 'Complain flag could not be set in profile %s'%local_profilename)
+        self.assertEqual(os.path.islink('%s/%s' % (force_complain_dir, os.path.basename(self.local_profilename))), True,
+                'Failed to create a symlink for %s in force-complain'%self.local_profilename)
+        self.assertEqual(apparmor.get_profile_flags(self.local_profilename, self.test_path), 'audit,complain',
+                'Complain flag could not be set in profile %s'%self.local_profilename)
 
         #Remove complain flag first i.e. set to enforce mode
-        subprocess.check_output('%s ./../aa-enforce -d ./profiles %s'%(python_interpreter, test_path), shell=True)
+        subprocess.check_output('%s ./../aa-enforce --no-reload -d %s %s'%(python_interpreter, self.profile_dir, self.test_path), shell=True)
 
-        self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)), False, 'Failed to remove symlink for %s from force-complain'%local_profilename)
-        self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)), False, 'Failed to remove symlink for %s from disable'%local_profilename)
-        self.assertEqual(apparmor.get_profile_flags(local_profilename, test_path), 'audit', 'Complain flag could not be removed in profile %s'%local_profilename)
+        self.assertEqual(os.path.islink('%s/%s' % (force_complain_dir, os.path.basename(self.local_profilename))), False,
+                'Failed to remove symlink for %s from force-complain'%self.local_profilename)
+        self.assertEqual(os.path.islink('%s/disable/%s' % (self.profile_dir, os.path.basename(self.local_profilename))), False,
+                'Failed to remove symlink for %s from disable'%self.local_profilename)
+        self.assertEqual(apparmor.get_profile_flags(self.local_profilename, self.test_path), 'audit',
+                'Complain flag could not be removed in profile %s'%self.local_profilename)
 
         #Remove audit flag
-        subprocess.check_output('%s ./../aa-audit -d ./profiles -r %s'%(python_interpreter, test_path), shell=True)
+        subprocess.check_output('%s ./../aa-audit --no-reload -d %s -r %s'%(python_interpreter, self.profile_dir, self.test_path), shell=True)
 
     def test_enforce(self):
-        #Set ntpd profile to complain mode and check if it was correctly set
+        # Set test profile to enforce mode and check if it was correctly set
+        subprocess.check_output('%s ./../aa-enforce --no-reload -d %s %s'%(python_interpreter, self.profile_dir, self.test_path), shell=True)
 
-        #Set ntpd profile to enforce mode and check if it was correctly set
-        subprocess.check_output('%s ./../aa-enforce -d ./profiles %s'%(python_interpreter, test_path), shell=True)
-
-        self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)), False, 'Failed to remove symlink for %s from force-complain'%local_profilename)
-        self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)), False, 'Failed to remove symlink for %s from disable'%local_profilename)
-        self.assertEqual(apparmor.get_profile_flags(local_profilename, test_path), None, 'Complain flag could not be removed in profile %s'%local_profilename)
+        self.assertEqual(os.path.islink('%s/force-complain/%s' % (self.profile_dir, os.path.basename(self.local_profilename))), False,
+                'Failed to remove symlink for %s from force-complain'%self.local_profilename)
+        self.assertEqual(os.path.islink('%s/disable/%s' % (self.profile_dir, os.path.basename(self.local_profilename))), False,
+                'Failed to remove symlink for %s from disable'%self.local_profilename)
+        self.assertEqual(apparmor.get_profile_flags(self.local_profilename, self.test_path), None,
+                'Complain flag could not be removed in profile %s'%self.local_profilename)
 
 
     def test_disable(self):
-        #Disable the ntpd profile and check if it was correctly disabled
-        subprocess.check_output('%s ./../aa-disable -d ./profiles %s'%(python_interpreter, test_path), shell=True)
+        # Disable the test profile and check if it was correctly disabled
+        subprocess.check_output('%s ./../aa-disable --no-reload -d %s %s'%(python_interpreter, self.profile_dir, self.test_path), shell=True)
 
-        self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)), True, 'Failed to create a symlink for %s in disable'%local_profilename)
+        self.assertEqual(os.path.islink('%s/disable/%s' % (self.profile_dir, os.path.basename(self.local_profilename))), True,
+                'Failed to create a symlink for %s in disable' % self.local_profilename)
 
     def test_autodep(self):
         pass
@@ -115,34 +141,21 @@ class Test(unittest.TestCase):
         input_file = 'cleanprof_test.in'
         output_file = 'cleanprof_test.out'
         #We position the local testfile
-        shutil.copy('./%s'%input_file, './profiles')
+        shutil.copy('./%s'%input_file, self.profile_dir)
         #Our silly test program whose profile we wish to clean
         cleanprof_test = '/usr/bin/a/simple/cleanprof/test/profile'
 
-        subprocess.check_output('%s ./../aa-cleanprof  -d ./profiles -s %s' % (python_interpreter, cleanprof_test), shell=True)
+        subprocess.check_output('%s ./../aa-cleanprof  --no-reload -d %s -s %s' % (python_interpreter, self.profile_dir, cleanprof_test), shell=True)
 
         #Strip off the first line (#modified line)
-        subprocess.check_output('sed -i 1d ./profiles/%s'%(input_file), shell=True)
+        subprocess.check_output('sed -i 1d %s/%s' % (self.profile_dir, input_file), shell=True)
 
-        self.assertEqual(filecmp.cmp('./profiles/%s'%input_file, './%s'%output_file, False), True, 'Failed to cleanup profile properly')
+        exp_content = read_file('./%s' % output_file)
+        real_content = read_file('%s/%s' % (self.profile_dir, input_file))
+        self.maxDiff = None
+        self.assertEqual(exp_content, real_content, 'Failed to cleanup profile properly')
 
 
-def clean_profile_dir():
-    #Wipe the local profiles from the test directory
-    shutil.rmtree('./profiles')
-
-if __name__ == "__main__":
-    #import sys;sys.argv = ['', 'Test.testName']
-
-    if os.path.exists('./profiles'):
-        shutil.rmtree('./profiles')
-
-    #copy the local profiles to the test directory
-    #Should be the set of cleanprofile
-    shutil.copytree('../../profiles/apparmor.d/', './profiles', symlinks=True)
-
-    apparmor.profile_dir = './profiles'
-
-    atexit.register(clean_profile_dir)
-
-    unittest.main()
+setup_all_loops(__name__)
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py
index 9284806ac..57a23d4b7 100644
--- a/utils/test/test-aa.py
+++ b/utils/test/test-aa.py
@@ -11,21 +11,15 @@
 
 import unittest
 from common_test import AATest, setup_all_loops
-import os
-import shutil
-import tempfile
 from common_test import read_file, write_file
 
-from apparmor.aa import check_for_apparmor, get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir, parse_profile_start, separate_vars, store_list_var, write_header, serialize_parse_profile_start
+from apparmor.aa import (check_for_apparmor, get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
+     parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header, serialize_parse_profile_start)
 from apparmor.common import AppArmorException, AppArmorBug
 
 class AaTestWithTempdir(AATest):
-    def setUp(self):
-        self.tmpdir = tempfile.mkdtemp(prefix='aa-py-')
-
-    def tearDown(self):
-        if os.path.exists(self.tmpdir):
-            shutil.rmtree(self.tmpdir)
+    def AASetup(self):
+        self.createTmpdir()
 
 
 class AaTest_check_for_apparmor(AaTestWithTempdir):
@@ -106,7 +100,8 @@ class AaTest_get_profile_flags(AaTestWithTempdir):
             self._test_get_flags('/no-such-profile flags=(complain)', 'complain')
 
 class AaTest_set_profile_flags(AaTestWithTempdir):
-    def _test_set_flags(self, profile, old_flags, new_flags, whitespace='', comment='', more_rules='',
+    def _test_set_flags(self, profile, old_flags, new_flags, whitespace='', comment='',
+                        more_rules='', expected_more_rules='@-@-@',
                         expected_flags='@-@-@', check_new_flags=True, profile_name='/foo'):
         if old_flags:
             old_flags = ' %s' % old_flags
@@ -119,13 +114,16 @@ class AaTest_set_profile_flags(AaTestWithTempdir):
         else:
             expected_flags = ''
 
+        if expected_more_rules == '@-@-@':
+            expected_more_rules = more_rules
+
         if comment:
             comment = ' %s' % comment
 
         dummy_profile_content = '  #include <abstractions/base>\n  capability chown,\n  /bar r,'
         prof_template = '%s%s%s {%s\n%s\n%s\n}\n'
-        old_prof = prof_template % (whitespace, profile, old_flags,      comment, more_rules, dummy_profile_content)
-        new_prof = prof_template % (whitespace, profile, expected_flags, comment, more_rules, dummy_profile_content)
+        old_prof = prof_template % (whitespace, profile, old_flags,      comment, more_rules,          dummy_profile_content)
+        new_prof = prof_template % (whitespace, profile, expected_flags, comment, expected_more_rules, dummy_profile_content)
 
         self.file = write_file(self.tmpdir, 'profile', old_prof)
         set_profile_flags(self.file, profile_name, new_flags)
@@ -183,12 +181,55 @@ class AaTest_set_profile_flags(AaTestWithTempdir):
         self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 'audit', profile_name='/foo bar')
     def test_set_flags_12(self):
         self._test_set_flags('profile xy "/foo bar"', 'flags=(complain)', 'audit', profile_name='xy')
+    def test_set_flags_13(self):
+        self._test_set_flags('/foo', '(audit)', '')
 
+    # test handling of hat flags
+    def test_set_flags_with_hat_01(self):
+        self._test_set_flags('/foo', 'flags=(complain)', 'audit',
+            more_rules='\n  ^foobar {\n}\n',
+            expected_more_rules='\n  ^foobar flags=(audit) {\n}\n'
+        )
 
-    # XXX regex_hat_flag in set_profile_flags() is totally broken - it matches for '   ' and '  X ', but doesn't match for ' ^foo {'
-    # oh, it matches on a line like 'dbus' and changes it to 'dbus flags=(...)' if there's no leading whitespace (and no comma)
-    #def test_set_flags_hat_01(self):
-    #    self._test_set_flags('  ^hat', '', 'audit')
+    def test_set_flags_with_hat_02(self):
+        self._test_set_flags('/foo', 'flags=(complain)', 'audit',
+            profile_name=None,
+            more_rules='\n  ^foobar {\n}\n',
+            expected_more_rules='\n  ^foobar flags=(audit) {\n}\n'
+        )
+
+    def test_set_flags_with_hat_03(self):
+        self._test_set_flags('/foo', 'flags=(complain)', 'audit',
+            more_rules='\n^foobar (attach_disconnected) { # comment\n}\n', # XXX attach_disconnected will be lost!
+            expected_more_rules='\n^foobar flags=(audit) { # comment\n}\n'
+        )
+
+    def test_set_flags_with_hat_04(self):
+        self._test_set_flags('/foo', '', 'audit',
+            more_rules='\n  hat foobar (attach_disconnected) { # comment\n}\n', # XXX attach_disconnected will be lost!
+            expected_more_rules='\n  hat foobar flags=(audit) { # comment\n}\n'
+        )
+
+    def test_set_flags_with_hat_05(self):
+        self._test_set_flags('/foo', '(audit)', '',
+            more_rules='\n  hat foobar (attach_disconnected) { # comment\n}\n', # XXX attach_disconnected will be lost!
+            expected_more_rules='\n  hat foobar { # comment\n}\n'
+        )
+
+    # test handling of child profiles
+    def test_set_flags_with_child_01(self):
+        self._test_set_flags('/foo', 'flags=(complain)', 'audit',
+            profile_name=None,
+            more_rules='\n  profile /bin/bar {\n}\n',
+            expected_more_rules='\n  profile /bin/bar flags=(audit) {\n}\n'
+        )
+
+    #def test_set_flags_with_child_02(self):
+        # XXX child profile flags aren't changed if profile parameter is not None
+        #self._test_set_flags('/foo', 'flags=(complain)', 'audit',
+        #    more_rules='\n  profile /bin/bar {\n}\n',
+        #    expected_more_rules='\n  profile /bin/bar flags=(audit) {\n}\n'
+        #)
 
 
     def test_set_flags_invalid_01(self):
@@ -349,6 +390,21 @@ class AaTest_parse_profile_start(AATest):
         with self.assertRaises(AppArmorBug):
             self._parse('xy', '/bar', '/bar') # not a profile start
 
+class AaTest_parse_profile_data(AATest):
+    def test_parse_empty_profile_01(self):
+        prof = parse_profile_data('/foo {\n}\n'.split(), 'somefile', False)
+
+        self.assertEqual(list(prof.keys()), ['/foo'])
+        self.assertEqual(list(prof['/foo'].keys()), ['/foo'])
+        self.assertEqual(prof['/foo']['/foo']['name'], '/foo')
+        self.assertEqual(prof['/foo']['/foo']['filename'], 'somefile')
+        self.assertEqual(prof['/foo']['/foo']['flags'], None)
+
+    def test_parse_empty_profile_02(self):
+        with self.assertRaises(AppArmorException):
+            # file contains two profiles with the same name
+            parse_profile_data('profile /foo {\n}\nprofile /foo {\n}\n'.split(), 'somefile', False)
+
 class AaTest_separate_vars(AATest):
     tests = [
         (''                             , set()                      ),
diff --git a/utils/test/test-baserule.py b/utils/test/test-baserule.py
index a73e57403..74fd4a195 100644
--- a/utils/test/test-baserule.py
+++ b/utils/test/test-baserule.py
@@ -14,6 +14,7 @@ from common_test import AATest, setup_all_loops
 
 from apparmor.common import AppArmorBug
 from apparmor.rule import BaseRule, parse_modifiers
+import apparmor.severity as severity
 
 import re
 
@@ -51,6 +52,16 @@ class TestBaserule(AATest):
         with self.assertRaises(AppArmorBug):
             parse_modifiers(matches)
 
+    def test_default_severity(self):
+        sev_db = severity.Severity('severity.db', 'unknown')
+        obj = BaseRule()
+        rank = obj.severity(sev_db)
+        self.assertEqual(rank, sev_db.NOT_IMPLEMENTED)
+
+    def test_logprof_header_localvars(self):
+        obj = BaseRule()
+        with self.assertRaises(AppArmorBug):
+            obj.logprof_header_localvars()
 
 
 setup_all_loops(__name__)
diff --git a/utils/test/test-capability.py b/utils/test/test-capability.py
index fcd607329..ae0f73305 100644
--- a/utils/test/test-capability.py
+++ b/utils/test/test-capability.py
@@ -14,18 +14,19 @@
 # ----------------------------------------------------------------------
 
 import unittest
+from common_test import AATest, setup_all_loops
 
 from apparmor.rule.capability import CapabilityRule, CapabilityRuleset
 from apparmor.rule import BaseRule
+import apparmor.severity as severity
 from apparmor.common import AppArmorException, AppArmorBug, hasher
 from apparmor.logparser import ReadLog
+from apparmor.translations import init_translation
+_ = init_translation()
 
 # --- tests for single CapabilityRule --- #
 
-class CapabilityTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
-
+class CapabilityTest(AATest):
     def _compare_obj_with_rawrule(self, rawrule, expected):
 
         obj = CapabilityRule.parse(rawrule)
@@ -212,10 +213,7 @@ class CapabilityTest(unittest.TestCase):
         })
 
 
-class InvalidCapabilityTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
-
+class InvalidCapabilityTest(AATest):
     def _check_invalid_rawrule(self, rawrule):
         obj = None
         with self.assertRaises(AppArmorException):
@@ -262,10 +260,7 @@ class InvalidCapabilityTest(unittest.TestCase):
             CapabilityRule(dict())
 
 
-class WriteCapabilityTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
-
+class WriteCapabilityTest(AATest):
     def _check_write_rule(self, rawrule, cleanrule):
         obj = CapabilityRule.parse(rawrule)
         clean = obj.get_clean()
@@ -292,10 +287,7 @@ class WriteCapabilityTest(unittest.TestCase):
         self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
         self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
 
-class CapabilityCoveredTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
-
+class CapabilityCoveredTest(AATest):
     def _is_covered(self, obj, rule_to_test):
         self.assertTrue(CapabilityRule.match(rule_to_test))
         return obj.is_covered(CapabilityRule.parse(rule_to_test))
@@ -430,12 +422,38 @@ class CapabilityCoveredTest(unittest.TestCase):
         self.assertFalse(self._is_covered(obj2, 'capability sys_admin,'))
         self.assertTrue(self._is_covered(obj2, 'capability ptrace,'))
 
+class CapabiliySeverityTest(AATest):
+    tests = [
+        ('fsetid',                      9),
+        ('dac_read_search',             7),
+        (['fsetid', 'dac_read_search'], 9),
+        (CapabilityRule.ALL,            10),
+        ('foo',                         'unknown'),
+    ]
+    def _run_test(self, params, expected):
+        sev_db = severity.Severity('severity.db', 'unknown')
+        obj = CapabilityRule(params)
+        rank = obj.severity(sev_db)
+        self.assertEqual(rank, expected)
+
+class CapabilityLogprofHeaderTest(AATest):
+    tests = [
+        ('capability,',                         [                               _('Capability'), _('ALL'),         ]),
+        ('capability chown,',                   [                               _('Capability'), 'chown',          ]),
+        ('capability chown fsetid,',            [                               _('Capability'), 'chown fsetid',   ]),
+        ('audit capability,',                   [_('Qualifier'), 'audit',       _('Capability'), _('ALL'),         ]),
+        ('deny capability chown,',              [_('Qualifier'), 'deny',        _('Capability'), 'chown',          ]),
+        ('allow capability chown fsetid,',      [_('Qualifier'), 'allow',       _('Capability'), 'chown fsetid',   ]),
+        ('audit deny capability,',              [_('Qualifier'), 'audit deny',  _('Capability'), _('ALL'),         ]),
+    ]
+
+    def _run_test(self, params, expected):
+        obj = CapabilityRule._parse(params)
+        self.assertEqual(obj.logprof_header(), expected)
+
 # --- tests for CapabilityRuleset --- #
 
-class CapabilityRulesTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
-
+class CapabilityRulesTest(AATest):
     def test_empty_ruleset(self):
         ruleset = CapabilityRuleset()
         ruleset_2 = CapabilityRuleset()
@@ -515,10 +533,8 @@ class CapabilityRulesTest(unittest.TestCase):
         self.assertEqual(expected_clean, ruleset.get_clean(1))
 
 
-class CapabilityRulesCoveredTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
-
+class CapabilityRulesCoveredTest(AATest):
+    def AASetup(self):
         self.ruleset = CapabilityRuleset()
         rules = [
             'capability chown,',
@@ -611,9 +627,8 @@ class CapabilityRulesCoveredTest(unittest.TestCase):
 #        parser = ReadLog('', '', '', '', '')
 #        self.assertEqual(True, self.ruleset.is_log_covered(parser.parse_event(event_base%'chgrp'), False))  # ignores allow/deny
 
-class CapabilityGlobTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
+class CapabilityGlobTest(AATest):
+    def AASetup(self):
         self.ruleset = CapabilityRuleset()
 
     def test_glob(self):
@@ -623,10 +638,8 @@ class CapabilityGlobTest(unittest.TestCase):
         with self.assertRaises(AppArmorBug):
             self.ruleset.get_glob_ext('capability net_raw,')
 
-class CapabilityDeleteTest(unittest.TestCase):
-    def setUp(self):
-        self.maxDiff = None
-
+class CapabilityDeleteTest(AATest):
+    def AASetup(self):
         self.ruleset = CapabilityRuleset()
         rules = [
             'capability chown,',
@@ -974,5 +987,6 @@ class CapabilityDeleteTest(unittest.TestCase):
         self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
 
 
-if __name__ == "__main__":
+setup_all_loops(__name__)
+if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/utils/test/test-change_profile.py b/utils/test/test-change_profile.py
new file mode 100644
index 000000000..31afece29
--- /dev/null
+++ b/utils/test/test-change_profile.py
@@ -0,0 +1,461 @@
+#!/usr/bin/env python
+# ----------------------------------------------------------------------
+#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License as published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+# ----------------------------------------------------------------------
+
+import unittest
+from collections import namedtuple
+from common_test import AATest, setup_all_loops
+
+from apparmor.rule.change_profile import ChangeProfileRule, ChangeProfileRuleset
+from apparmor.rule import BaseRule
+from apparmor.common import AppArmorException, AppArmorBug
+from apparmor.logparser import ReadLog
+from apparmor.translations import init_translation
+_ = init_translation()
+
+exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
+        'execcond', 'all_execconds', 'targetprofile', 'all_targetprofiles'])
+
+# --- tests for single ChangeProfileRule --- #
+
+class ChangeProfileTest(AATest):
+    def _compare_obj(self, obj, expected):
+        self.assertEqual(expected.allow_keyword, obj.allow_keyword)
+        self.assertEqual(expected.audit, obj.audit)
+        self.assertEqual(expected.execcond, obj.execcond)
+        self.assertEqual(expected.targetprofile, obj.targetprofile)
+        self.assertEqual(expected.all_execconds, obj.all_execconds)
+        self.assertEqual(expected.all_targetprofiles, obj.all_targetprofiles)
+        self.assertEqual(expected.deny, obj.deny)
+        self.assertEqual(expected.comment, obj.comment)
+
+class ChangeProfileTestParse(ChangeProfileTest):
+    tests = [
+        # rawrule                                            audit  allow  deny   comment        execcond  all?   targetprof  all?
+        ('change_profile,'                             , exp(False, False, False, ''           , None  ,   True , None     , True )),
+        ('change_profile /foo,'                        , exp(False, False, False, ''           , '/foo',   False, None     , True )),
+        ('change_profile /foo -> /bar,'                , exp(False, False, False, ''           , '/foo',   False, '/bar'   , False)),
+        ('deny change_profile /foo -> /bar, # comment' , exp(False, False, True , ' # comment' , '/foo',   False, '/bar'   , False)),
+        ('audit allow change_profile /foo,'            , exp(True , True , False, ''           , '/foo',   False, None     , True )),
+        ('change_profile -> /bar,'                     , exp(False, False, False, ''           , None  ,   True , '/bar'   , False)),
+        ('audit allow change_profile -> /bar,'         , exp(True , True , False, ''           , None  ,   True , '/bar'   , False)),
+        # quoted versions
+        ('change_profile "/foo",'                      , exp(False, False, False, ''           , '/foo',   False, None     , True )),
+        ('change_profile "/foo" -> "/bar",'            , exp(False, False, False, ''           , '/foo',   False, '/bar'   , False)),
+        ('deny change_profile "/foo" -> "/bar", # cmt' , exp(False, False, True, ' # cmt'      , '/foo',   False, '/bar'   , False)),
+        ('audit allow change_profile "/foo",'          , exp(True , True , False, ''           , '/foo',   False, None     , True )),
+        ('change_profile -> "/bar",'                   , exp(False, False, False, ''           , None  ,   True , '/bar'   , False)),
+        ('audit allow change_profile -> "/bar",'       , exp(True , True , False, ''           , None  ,   True , '/bar'   , False)),
+        # with globbing and/or named profiles
+        ('change_profile,'                             , exp(False, False, False, ''           , None  ,   True , None     , True )),
+        ('change_profile /*,'                          , exp(False, False, False, ''           , '/*'  ,   False, None     , True )),
+        ('change_profile /* -> bar,'                   , exp(False, False, False, ''           , '/*'  ,   False, 'bar'    , False)),
+        ('deny change_profile /** -> bar, # comment'   , exp(False, False, True , ' # comment' , '/**' ,   False, 'bar'    , False)),
+        ('audit allow change_profile /**,'             , exp(True , True , False, ''           , '/**' ,   False, None     , True )),
+        ('change_profile -> "ba r",'                   , exp(False, False, False, ''           , None  ,   True , 'ba r'   , False)),
+        ('audit allow change_profile -> "ba r",'       , exp(True , True , False, ''           , None  ,   True , 'ba r'   , False)),
+     ]
+
+    def _run_test(self, rawrule, expected):
+        self.assertTrue(ChangeProfileRule.match(rawrule))
+        obj = ChangeProfileRule.parse(rawrule)
+        self.assertEqual(rawrule.strip(), obj.raw_rule)
+        self._compare_obj(obj, expected)
+
+class ChangeProfileTestParseInvalid(ChangeProfileTest):
+    tests = [
+        ('change_profile -> ,'                     , AppArmorException),
+        ('change_profile foo -> ,'                 , AppArmorException),
+    ]
+
+    def _run_test(self, rawrule, expected):
+        self.assertFalse(ChangeProfileRule.match(rawrule))
+        with self.assertRaises(expected):
+            ChangeProfileRule.parse(rawrule)
+
+class ChangeProfileTestParseFromLog(ChangeProfileTest):
+    def test_net_from_log(self):
+        parser = ReadLog('', '', '', '', '')
+
+        event = 'type=AVC msg=audit(1428699242.551:386): apparmor="DENIED" operation="change_profile" profile="/foo/changeprofile" pid=3459 comm="changeprofile" target="/foo/rename"'
+
+        # libapparmor doesn't understand this log format (from JJ)
+        # event = '[   97.492562] audit: type=1400 audit(1431116353.523:77): apparmor="DENIED" operation="change_profile" profile="/foo/changeprofile" pid=3459 comm="changeprofile" target="/foo/rename"'
+
+        parsed_event = parser.parse_event(event)
+
+        self.assertEqual(parsed_event, {
+            'request_mask': None,
+            'denied_mask': None,
+            'error_code': 0,
+            #'family': 'inet',
+            'magic_token': 0,
+            'parent': 0,
+            'profile': '/foo/changeprofile',
+            'operation': 'change_profile',
+            'resource': None,
+            'info': None,
+            'aamode': 'REJECTING',
+            'time': 1428699242,
+            'active_hat': None,
+            'pid': 3459,
+            'task': 0,
+            'attr': None,
+            'name2': '/foo/rename', # target
+            'name': None,
+        })
+
+        obj = ChangeProfileRule(ChangeProfileRule.ALL, parsed_event['name2'], log_event=parsed_event)
+
+        #              audit  allow  deny   comment        execcond  all?   targetprof     all?
+        expected = exp(False, False, False, ''           , None,     True,  '/foo/rename', False)
+
+        self._compare_obj(obj, expected)
+
+        self.assertEqual(obj.get_raw(1), '  change_profile -> /foo/rename,')
+
+
+class ChangeProfileFromInit(ChangeProfileTest):
+    tests = [
+        # ChangeProfileRule object                                  audit  allow  deny   comment        execcond    all?   targetprof  all?
+        (ChangeProfileRule('/foo', '/bar', deny=True)          , exp(False, False, True , ''           , '/foo',   False, '/bar'    , False)),
+        (ChangeProfileRule('/foo', '/bar')                     , exp(False, False, False, ''           , '/foo',   False, '/bar'    , False)),
+        (ChangeProfileRule('/foo', ChangeProfileRule.ALL)      , exp(False, False, False, ''           , '/foo',   False,  None     , True )),
+        (ChangeProfileRule(ChangeProfileRule.ALL, '/bar')      , exp(False, False, False, ''           , None  ,   True , '/bar'    , False)),
+        (ChangeProfileRule(ChangeProfileRule.ALL,
+                             ChangeProfileRule.ALL)            , exp(False, False, False, ''           , None  ,   True , None      , True )),
+    ]
+
+    def _run_test(self, obj, expected):
+        self._compare_obj(obj, expected)
+
+
+class InvalidChangeProfileInit(AATest):
+    tests = [
+        # init params                     expected exception
+        (['/foo', ''               ]    , AppArmorBug), # empty targetprofile
+        ([''    , '/bar'           ]    , AppArmorBug), # empty execcond
+        (['    ', '/bar'           ]    , AppArmorBug), # whitespace execcond
+        (['/foo', '   '            ]    , AppArmorBug), # whitespace targetprofile
+        (['xyxy', '/bar'           ]    , AppArmorException), # invalid execcond
+        ([dict(), '/bar'           ]    , AppArmorBug), # wrong type for execcond
+        ([None  , '/bar'           ]    , AppArmorBug), # wrong type for execcond
+        (['/foo', dict()           ]    , AppArmorBug), # wrong type for targetprofile
+        (['/foo', None             ]    , AppArmorBug), # wrong type for targetprofile
+    ]
+
+    def _run_test(self, params, expected):
+        with self.assertRaises(expected):
+            ChangeProfileRule(params[0], params[1])
+
+    def test_missing_params_1(self):
+        with self.assertRaises(TypeError):
+            ChangeProfileRule()
+
+    def test_missing_params_2(self):
+        with self.assertRaises(TypeError):
+            ChangeProfileRule('inet')
+
+
+class InvalidChangeProfileTest(AATest):
+    def _check_invalid_rawrule(self, rawrule):
+        obj = None
+        self.assertFalse(ChangeProfileRule.match(rawrule))
+        with self.assertRaises(AppArmorException):
+            obj = ChangeProfileRule(ChangeProfileRule.parse(rawrule))
+
+        self.assertIsNone(obj, 'ChangeProfileRule handed back an object unexpectedly')
+
+    def test_invalid_net_missing_comma(self):
+        self._check_invalid_rawrule('change_profile')  # missing comma
+
+    def test_invalid_net_non_ChangeProfileRule(self):
+        self._check_invalid_rawrule('dbus,')  # not a change_profile rule
+
+    def test_empty_net_data_1(self):
+        obj = ChangeProfileRule('/foo', '/bar')
+        obj.execcond = ''
+        # no execcond set, and ALL not set
+        with self.assertRaises(AppArmorBug):
+            obj.get_clean(1)
+
+    def test_empty_net_data_2(self):
+        obj = ChangeProfileRule('/foo', '/bar')
+        obj.targetprofile = ''
+        # no targetprofile set, and ALL not set
+        with self.assertRaises(AppArmorBug):
+            obj.get_clean(1)
+
+
+class WriteChangeProfileTestAATest(AATest):
+    tests = [
+        #  raw rule                                                      clean rule
+        ('     change_profile         ,    # foo        '              , 'change_profile, # foo'),
+        ('    audit     change_profile /foo,'                          , 'audit change_profile /foo,'),
+        ('   deny change_profile         /foo      -> bar,# foo bar'   , 'deny change_profile /foo -> bar, # foo bar'),
+        ('   deny change_profile         /foo      ,# foo bar'         , 'deny change_profile /foo, # foo bar'),
+        ('   allow change_profile   ->    /bar     ,# foo bar'         , 'allow change_profile -> /bar, # foo bar'),
+        ('   allow change_profile   /** ->    /bar     ,# foo bar'     , 'allow change_profile /** -> /bar, # foo bar'),
+        ('   allow change_profile   "/fo o" ->    "/b ar",'            , 'allow change_profile "/fo o" -> "/b ar",'),
+    ]
+
+    def _run_test(self, rawrule, expected):
+        self.assertTrue(ChangeProfileRule.match(rawrule))
+        obj = ChangeProfileRule.parse(rawrule)
+        clean = obj.get_clean()
+        raw = obj.get_raw()
+
+        self.assertEqual(expected.strip(), clean, 'unexpected clean rule')
+        self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
+
+    def test_write_manually(self):
+        obj = ChangeProfileRule('/foo', 'bar', allow_keyword=True)
+
+        expected = '    allow change_profile /foo -> bar,'
+
+        self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
+        self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
+
+
+class ChangeProfileCoveredTest(AATest):
+    def _run_test(self, param, expected):
+        obj = ChangeProfileRule.parse(self.rule)
+        check_obj = ChangeProfileRule.parse(param)
+
+        self.assertTrue(ChangeProfileRule.match(param))
+
+        self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in is_equal, expected %s' % expected[0])
+        self.assertEqual(obj.is_equal(check_obj, True), expected[1], 'Mismatch in is_equal/strict, expected %s' % expected[1])
+
+        self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch in is_covered, expected %s' % expected[2])
+        self.assertEqual(obj.is_covered(check_obj, True, True), expected[3], 'Mismatch in is_covered/exact, expected %s' % expected[3])
+
+class ChangeProfileCoveredTest_01(ChangeProfileCoveredTest):
+    rule = 'change_profile /foo,'
+
+    tests = [
+        #   rule                                        equal     strict equal    covered     covered exact
+        ('           change_profile,'               , [ False   , False         , False     , False     ]),
+        ('           change_profile /foo,'          , [ True    , True          , True      , True      ]),
+        ('           change_profile /foo, # comment', [ True    , False         , True      , True      ]),
+        ('     allow change_profile /foo,'          , [ True    , False         , True      , True      ]),
+        ('           change_profile     /foo,'      , [ True    , False         , True      , True      ]),
+        ('           change_profile /foo -> /bar,'  , [ False   , False         , True      , True      ]),
+        ('           change_profile /foo -> bar,'   , [ False   , False         , True      , True      ]),
+        ('audit      change_profile /foo,'          , [ False   , False         , False     , False     ]),
+        ('audit      change_profile,'               , [ False   , False         , False     , False     ]),
+        ('           change_profile /asdf,'         , [ False   , False         , False     , False     ]),
+        ('           change_profile -> /bar,'       , [ False   , False         , False     , False     ]),
+        ('audit deny change_profile /foo,'          , [ False   , False         , False     , False     ]),
+        ('      deny change_profile /foo,'          , [ False   , False         , False     , False     ]),
+    ]
+
+class ChangeProfileCoveredTest_02(ChangeProfileCoveredTest):
+    rule = 'audit change_profile /foo,'
+
+    tests = [
+        #   rule                                       equal     strict equal    covered     covered exact
+        (      'change_profile /foo,'              , [ False   , False         , True      , False     ]),
+        ('audit change_profile /foo,'              , [ True    , True          , True      , True      ]),
+        (      'change_profile /foo -> /bar,'      , [ False   , False         , True      , False     ]),
+        ('audit change_profile /foo -> /bar,'      , [ False   , False         , True      , True      ]), # XXX is "covered exact" correct here?
+        (      'change_profile,'                   , [ False   , False         , False     , False     ]),
+        ('audit change_profile,'                   , [ False   , False         , False     , False     ]),
+        ('      change_profile -> /bar,'           , [ False   , False         , False     , False     ]),
+    ]
+
+
+class ChangeProfileCoveredTest_03(ChangeProfileCoveredTest):
+    rule = 'change_profile /foo -> /bar,'
+
+    tests = [
+        #   rule                                       equal     strict equal    covered     covered exact
+        (      'change_profile /foo -> /bar,'      , [ True    , True          , True      , True      ]),
+        ('allow change_profile /foo -> /bar,'      , [ True    , False         , True      , True      ]),
+        (      'change_profile /foo,'              , [ False   , False         , False     , False     ]),
+        (      'change_profile,'                   , [ False   , False         , False     , False     ]),
+        (      'change_profile /foo -> /xyz,'      , [ False   , False         , False     , False     ]),
+        ('audit change_profile,'                   , [ False   , False         , False     , False     ]),
+        ('audit change_profile /foo -> /bar,'      , [ False   , False         , False     , False     ]),
+        (      'change_profile      -> /bar,'      , [ False   , False         , False     , False     ]),
+        (      'change_profile,'                   , [ False   , False         , False     , False     ]),
+    ]
+
+class ChangeProfileCoveredTest_04(ChangeProfileCoveredTest):
+    rule = 'change_profile,'
+
+    tests = [
+        #   rule                                       equal     strict equal    covered     covered exact
+        (      'change_profile,'                   , [ True    , True          , True      , True      ]),
+        ('allow change_profile,'                   , [ True    , False         , True      , True      ]),
+        (      'change_profile /foo,'              , [ False   , False         , True      , True      ]),
+        (      'change_profile /xyz -> bar,'       , [ False   , False         , True      , True      ]),
+        (      'change_profile -> /bar,'           , [ False   , False         , True      , True      ]),
+        (      'change_profile /foo -> /bar,'      , [ False   , False         , True      , True      ]),
+        ('audit change_profile,'                   , [ False   , False         , False     , False     ]),
+        ('deny  change_profile,'                   , [ False   , False         , False     , False     ]),
+    ]
+
+class ChangeProfileCoveredTest_05(ChangeProfileCoveredTest):
+    rule = 'deny change_profile /foo,'
+
+    tests = [
+        #   rule                                       equal     strict equal    covered     covered exact
+        (      'deny change_profile /foo,'         , [ True    , True          , True      , True      ]),
+        ('audit deny change_profile /foo,'         , [ False   , False         , False     , False     ]),
+        (           'change_profile /foo,'         , [ False   , False         , False     , False     ]), # XXX should covered be true here?
+        (      'deny change_profile /bar,'         , [ False   , False         , False     , False     ]),
+        (      'deny change_profile,'              , [ False   , False         , False     , False     ]),
+    ]
+
+
+class ChangeProfileCoveredTest_Invalid(AATest):
+    def test_borked_obj_is_covered_1(self):
+        obj = ChangeProfileRule.parse('change_profile /foo,')
+
+        testobj = ChangeProfileRule('/foo', '/bar')
+        testobj.execcond = ''
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_covered(testobj)
+
+    def test_borked_obj_is_covered_2(self):
+        obj = ChangeProfileRule.parse('change_profile /foo,')
+
+        testobj = ChangeProfileRule('/foo', '/bar')
+        testobj.targetprofile = ''
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_covered(testobj)
+
+    def test_invalid_is_covered(self):
+        obj = ChangeProfileRule.parse('change_profile /foo,')
+
+        testobj = BaseRule()  # different type
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_covered(testobj)
+
+    def test_invalid_is_equal(self):
+        obj = ChangeProfileRule.parse('change_profile -> /bar,')
+
+        testobj = BaseRule()  # different type
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_equal(testobj)
+
+class ChangeProfileLogprofHeaderTest(AATest):
+    tests = [
+        ('change_profile,',                         [                               _('Exec Condition'), _('ALL'),  _('Target Profile'), _('ALL'),   ]),
+        ('change_profile -> /bin/ping,',            [                               _('Exec Condition'), _('ALL'),  _('Target Profile'), '/bin/ping',]),
+        ('change_profile /bar -> /bin/bar,',        [                               _('Exec Condition'), '/bar',    _('Target Profile'), '/bin/bar', ]),
+        ('change_profile /foo,',                    [                               _('Exec Condition'), '/foo',    _('Target Profile'), _('ALL'),   ]),
+        ('audit change_profile -> /bin/ping,',      [_('Qualifier'), 'audit',       _('Exec Condition'), _('ALL'),  _('Target Profile'), '/bin/ping',]),
+        ('deny change_profile /bar -> /bin/bar,',   [_('Qualifier'), 'deny',        _('Exec Condition'), '/bar',    _('Target Profile'), '/bin/bar', ]),
+        ('allow change_profile /foo,',              [_('Qualifier'), 'allow',       _('Exec Condition'), '/foo',    _('Target Profile'), _('ALL'),   ]),
+        ('audit deny change_profile,',              [_('Qualifier'), 'audit deny',  _('Exec Condition'), _('ALL'),  _('Target Profile'), _('ALL'),   ]),
+    ]
+
+    def _run_test(self, params, expected):
+        obj = ChangeProfileRule._parse(params)
+        self.assertEqual(obj.logprof_header(), expected)
+
+# --- tests for ChangeProfileRuleset --- #
+
+class ChangeProfileRulesTest(AATest):
+    def test_empty_ruleset(self):
+        ruleset = ChangeProfileRuleset()
+        ruleset_2 = ChangeProfileRuleset()
+        self.assertEqual([], ruleset.get_raw(2))
+        self.assertEqual([], ruleset.get_clean(2))
+        self.assertEqual([], ruleset_2.get_raw(2))
+        self.assertEqual([], ruleset_2.get_clean(2))
+
+    def test_ruleset_1(self):
+        ruleset = ChangeProfileRuleset()
+        rules = [
+            'change_profile -> /bar,',
+            'change_profile /foo,',
+        ]
+
+        expected_raw = [
+            'change_profile -> /bar,',
+            'change_profile /foo,',
+            '',
+        ]
+
+        expected_clean = [
+            'change_profile -> /bar,',
+            'change_profile /foo,',
+            '',
+        ]
+
+        for rule in rules:
+            ruleset.add(ChangeProfileRule.parse(rule))
+
+        self.assertEqual(expected_raw, ruleset.get_raw())
+        self.assertEqual(expected_clean, ruleset.get_clean())
+
+    def test_ruleset_2(self):
+        ruleset = ChangeProfileRuleset()
+        rules = [
+            'change_profile /foo -> /bar,',
+            'allow change_profile /asdf,',
+            'deny change_profile -> xy, # example comment',
+        ]
+
+        expected_raw = [
+            '  change_profile /foo -> /bar,',
+            '  allow change_profile /asdf,',
+            '  deny change_profile -> xy, # example comment',
+            '',
+        ]
+
+        expected_clean = [
+            '  deny change_profile -> xy, # example comment',
+            '',
+            '  allow change_profile /asdf,',
+            '  change_profile /foo -> /bar,',
+            '',
+        ]
+
+        for rule in rules:
+            ruleset.add(ChangeProfileRule.parse(rule))
+
+        self.assertEqual(expected_raw, ruleset.get_raw(1))
+        self.assertEqual(expected_clean, ruleset.get_clean(1))
+
+
+class ChangeProfileGlobTestAATest(AATest):
+    def setUp(self):
+        self.ruleset = ChangeProfileRuleset()
+
+    def test_glob_1(self):
+        self.assertEqual(self.ruleset.get_glob('change_profile /foo,'), 'change_profile,')
+
+    # not supported or used yet, glob behaviour not decided yet
+    # def test_glob_2(self):
+    #     self.assertEqual(self.ruleset.get_glob('change_profile /foo -> /bar,'), 'change_profile -> /bar,')
+
+    def test_glob_ext(self):
+        with self.assertRaises(AppArmorBug):
+            # get_glob_ext is not available for change_profile rules
+            self.ruleset.get_glob_ext('change_profile /foo -> /bar,')
+
+class ChangeProfileDeleteTestAATest(AATest):
+    pass
+
+setup_all_loops(__name__)
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/utils/test/test-example.py b/utils/test/test-example.py
index 0617262b7..a744bff99 100644
--- a/utils/test/test-example.py
+++ b/utils/test/test-example.py
@@ -39,6 +39,10 @@ class TestBaz(AATest):
         # called by setUp() - use AASetup() to avoid the need for using super(...)
         pass
 
+    def AATeardown(self):
+        # called by tearDown() - use AATeardown() to avoid the need for using super(...)
+        pass
+
     def test_Baz_only_one_test(self):
         self.assertEqual("baz", "baz")
 
diff --git a/utils/test/test-network.py b/utils/test/test-network.py
index 2608e4818..0892376fb 100644
--- a/utils/test/test-network.py
+++ b/utils/test/test-network.py
@@ -21,6 +21,8 @@ from apparmor.rule.network import NetworkRule, NetworkRuleset
 from apparmor.rule import BaseRule
 from apparmor.common import AppArmorException, AppArmorBug
 from apparmor.logparser import ReadLog
+from apparmor.translations import init_translation
+_ = init_translation()
 
 exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
         'domain', 'all_domains', 'type_or_protocol', 'all_type_or_protocols'])
@@ -46,6 +48,7 @@ class NetworkTestParse(NetworkTest):
         ('network inet stream,'                 , exp(False, False, False, ''           , 'inet',   False, 'stream' , False)),
         ('deny network inet stream, # comment'  , exp(False, False, True , ' # comment' , 'inet',   False, 'stream' , False)),
         ('audit allow network tcp,'             , exp(True , True , False, ''           , None  ,   True , 'tcp'    , False)),
+        ('network stream,'                      , exp(False, False, False, ''           , None  ,   True , 'stream' , False)),
     ]
 
     def _run_test(self, rawrule, expected):
@@ -56,7 +59,6 @@ class NetworkTestParse(NetworkTest):
 
 class NetworkTestParseInvalid(NetworkTest):
     tests = [
-        ('network stream,'                  , AppArmorException), # domain missing
         ('network foo,'                     , AppArmorException),
         ('network foo bar,'                 , AppArmorException),
         ('network foo tcp,'                 , AppArmorException),
@@ -116,6 +118,7 @@ class NetworkFromInit(NetworkTest):
         (NetworkRule('inet', NetworkRule.ALL)           , exp(False, False, False, ''           , 'inet',   False, None     , True )),
         (NetworkRule(NetworkRule.ALL, NetworkRule.ALL)  , exp(False, False, False, ''           , None  ,   True , None     , True )),
         (NetworkRule(NetworkRule.ALL, 'tcp')            , exp(False, False, False, ''           , None  ,   True , 'tcp'    , False)),
+        (NetworkRule(NetworkRule.ALL, 'stream')         , exp(False, False, False, ''           , None  ,   True , 'stream' , False)),
     ]
 
     def _run_test(self, obj, expected):
@@ -135,7 +138,6 @@ class InvalidNetworkInit(AATest):
         ([None  , 'tcp'            ]    , AppArmorBug), # wrong type for domain
         (['inet', dict()           ]    , AppArmorBug), # wrong type for type_or_protocol
         (['inet', None             ]    , AppArmorBug), # wrong type for type_or_protocol
-        ([NetworkRule.ALL, 'stream']    , AppArmorException), # stream requires a domain
     ]
 
     def _run_test(self, params, expected):
@@ -336,6 +338,21 @@ class NetworkCoveredTest_Invalid(AATest):
         with self.assertRaises(AppArmorBug):
             obj.is_equal(testobj)
 
+class NetworkLogprofHeaderTest(AATest):
+    tests = [
+        ('network,',                    [                               _('Network Family'), _('ALL'),     _('Socket Type'), _('ALL'),     ]),
+        ('network inet,',               [                               _('Network Family'), 'inet',       _('Socket Type'), _('ALL'),     ]),
+        ('network inet stream,',        [                               _('Network Family'), 'inet',       _('Socket Type'), 'stream',     ]),
+        ('deny network,',               [_('Qualifier'), 'deny',        _('Network Family'), _('ALL'),     _('Socket Type'), _('ALL'),     ]),
+        ('allow network inet,',         [_('Qualifier'), 'allow',       _('Network Family'), 'inet',       _('Socket Type'), _('ALL'),     ]),
+        ('audit network inet stream,',  [_('Qualifier'), 'audit',       _('Network Family'), 'inet',       _('Socket Type'), 'stream',     ]),
+        ('audit deny network inet,',    [_('Qualifier'), 'audit deny',  _('Network Family'), 'inet',       _('Socket Type'), _('ALL'),     ]),
+    ]
+
+    def _run_test(self, params, expected):
+        obj = NetworkRule._parse(params)
+        self.assertEqual(obj.logprof_header(), expected)
+
 ## --- tests for NetworkRuleset --- #
 
 class NetworkRulesTest(AATest):
diff --git a/utils/test/test-regex_matches.py b/utils/test/test-regex_matches.py
index 29e8ab892..b7fdc9d62 100644
--- a/utils/test/test-regex_matches.py
+++ b/utils/test/test-regex_matches.py
@@ -12,9 +12,9 @@
 import apparmor.aa as aa
 import unittest
 from common_test import AATest, setup_all_loops
-from apparmor.common import AppArmorBug
+from apparmor.common import AppArmorBug, AppArmorException
 
-from apparmor.regex import strip_quotes, parse_profile_start_line, RE_PROFILE_START, RE_PROFILE_CAP
+from apparmor.regex import strip_quotes, parse_profile_start_line, re_match_include, RE_PROFILE_START, RE_PROFILE_CAP
 
 
 class AARegexTest(AATest):
@@ -465,6 +465,34 @@ class TestInvalid_parse_profile_start_line(AATest):
         with self.assertRaises(AppArmorBug):
             parse_profile_start_line(line, 'somefile')
 
+class Test_re_match_include(AATest):
+    tests = [
+        ('#include <abstractions/base>',            'abstractions/base'         ),
+        ('#include <abstractions/base> # comment',  'abstractions/base'         ),
+        ('#include<abstractions/base>#comment',     'abstractions/base'         ),
+        ('   #include    <abstractions/base>  ',    'abstractions/base'         ),
+        ('include <abstractions/base>',             'abstractions/base'         ), # not supported by parser
+        # ('include foo',                           'foo'                       ), # XXX not supported in tools yet
+        # ('include /foo/bar',                      '/foo/bar'                  ), # XXX not supported in tools yet
+        # ('include "foo"',                         'foo'                       ), # XXX not supported in tools yet
+        # ('include "/foo/bar"',                    '/foo/bar'                  ), # XXX not supported in tools yet
+        (' some #include <abstractions/base>',      None,                       ),
+        ('  /etc/fstab r,',                         None,                       ),
+    ]
+
+    def _run_test(self, params, expected):
+        self.assertEqual(re_match_include(params), expected)
+
+class TestInvalid_re_match_include(AATest):
+    tests = [
+        ('#include <>',                             AppArmorException   ),
+        ('#include <  >',                           AppArmorException   ),
+    ]
+
+    def _run_test(self, params, expected):
+        with self.assertRaises(expected):
+            re_match_include(params)
+
 
 class TestStripQuotes(AATest):
     def test_strip_quotes_01(self):
diff --git a/utils/test/test-rlimit.py b/utils/test/test-rlimit.py
new file mode 100644
index 000000000..8cda5403f
--- /dev/null
+++ b/utils/test/test-rlimit.py
@@ -0,0 +1,479 @@
+#!/usr/bin/env python
+# ----------------------------------------------------------------------
+#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License as published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+# ----------------------------------------------------------------------
+
+import unittest
+from collections import namedtuple
+from common_test import AATest, setup_all_loops
+
+from apparmor.rule.rlimit import RlimitRule, RlimitRuleset, split_unit
+from apparmor.rule import BaseRule
+from apparmor.common import AppArmorException, AppArmorBug
+#from apparmor.logparser import ReadLog
+from apparmor.translations import init_translation
+_ = init_translation()
+
+exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
+        'rlimit', 'value', 'all_values'])
+
+# --- tests for single RlimitRule --- #
+
+class RlimitTest(AATest):
+    def _compare_obj(self, obj, expected):
+        self.assertEqual(expected.allow_keyword, obj.allow_keyword)
+        self.assertEqual(expected.audit, obj.audit)
+        self.assertEqual(expected.rlimit, obj.rlimit)
+        self.assertEqual(expected.value, obj.value)
+        self.assertEqual(expected.all_values, obj.all_values)
+        self.assertEqual(expected.deny, obj.deny)
+        self.assertEqual(expected.comment, obj.comment)
+
+class RlimitTestParse(RlimitTest):
+    tests = [
+        # rawrule                                    audit  allow  deny   comment         rlimit          value      all/infinity?
+        ('set rlimit as <= 2047MB,'            , exp(False, False, False, ''           , 'as'           , '2047MB'      , False)),
+        ('set rlimit cpu <= 1024,'             , exp(False, False, False, ''           , 'cpu'          , '1024'        , False)),
+        ('set rlimit stack <= 1024GB,'         , exp(False, False, False, ''           , 'stack'        , '1024GB'      , False)),
+        ('set rlimit rtprio <= 10, # comment'  , exp(False, False, False, ' # comment' , 'rtprio'       , '10'          , False)),
+        ('set rlimit core <= 44444KB,'         , exp(False, False, False, ''           , 'core'         , '44444KB'     , False)),
+        ('set rlimit rttime <= 60ms,'          , exp(False, False, False, ''           , 'rttime'       , '60ms'        , False)),
+        ('set rlimit cpu <= infinity,'         , exp(False, False, False, ''           , 'cpu'          , None          , True )),
+        ('set rlimit nofile <= 256,'           , exp(False, False, False, ''           , 'nofile'       , '256'         , False)),
+        ('set rlimit data <= 4095KB,'          , exp(False, False, False, ''           , 'data'         , '4095KB'      , False)),
+        ('set rlimit cpu <= 12, # cmt'         , exp(False, False, False, ' # cmt'     , 'cpu'          , '12'          , False)),
+        ('set rlimit ofile <= 1234,'           , exp(False, False, False, ''           , 'ofile'        , '1234'        , False)),
+        ('set rlimit msgqueue <= 4444,'        , exp(False, False, False, ''           , 'msgqueue'     , '4444'        , False)),
+        ('set rlimit nice <= -10,'             , exp(False, False, False, ''           , 'nice'         , '-10'         , False)),
+        ('set rlimit rttime <= 60minutes,'     , exp(False, False, False, ''           , 'rttime'       , '60minutes'   , False)),
+        ('set rlimit fsize <= 1023MB,'         , exp(False, False, False, ''           , 'fsize'        , '1023MB'      , False)),
+        ('set rlimit nproc <= 1,'              , exp(False, False, False, ''           , 'nproc'        , '1'           , False)),
+        ('set rlimit rss <= infinity, # cmt'   , exp(False, False, False, ' # cmt'     , 'rss'          , None          , True )),
+        ('set rlimit memlock <= 10240,'        , exp(False, False, False, ''           , 'memlock'      , '10240'       , False)),
+        ('set rlimit sigpending <= 42,'        , exp(False, False, False, ''           , 'sigpending'   , '42'          , False)),
+     ]
+
+    def _run_test(self, rawrule, expected):
+        self.assertTrue(RlimitRule.match(rawrule))
+        obj = RlimitRule.parse(rawrule)
+        self.assertEqual(rawrule.strip(), obj.raw_rule)
+        self._compare_obj(obj, expected)
+
+class RlimitTestParseInvalid(RlimitTest):
+    tests = [
+        ('set rlimit,'                      , AppArmorException), # missing parts
+        ('set rlimit <= 5,'                 , AppArmorException),
+        ('set rlimit cpu <= ,'              , AppArmorException),
+        ('set rlimit cpu <= "",'            , AppArmorBug),       # evil quoting trick
+        ('set rlimit foo <= 5,'             , AppArmorException), # unknown rlimit
+        ('set rlimit rttime <= 60m,'        , AppArmorException), # 'm' could mean 'ms' or 'minutes'
+        ('set rlimit cpu <= 20ms,'          , AppArmorException), # cpu doesn't support 'ms'...
+        ('set rlimit cpu <= 20us,'          , AppArmorException), # ... or 'us'
+        ('set rlimit nice <= 20MB,'         , AppArmorException), # invalid unit for this rlimit type
+        ('set rlimit cpu <= 20MB,'          , AppArmorException),
+        ('set rlimit data <= 20seconds,'    , AppArmorException),
+        ('set rlimit locks <= 20seconds,'   , AppArmorException),
+    ]
+
+    def _run_test(self, rawrule, expected):
+        #self.assertFalse(RlimitRule.match(rawrule))  # the main regex isn't very strict
+        with self.assertRaises(expected):
+            RlimitRule.parse(rawrule)
+
+class RlimitTestParseFromLog(RlimitTest):
+    pass
+    # def test_net_from_log(self):
+    #   parser = ReadLog('', '', '', '', '')
+
+    #   event = 'type=AVC ...'
+
+    #   parsed_event = parser.parse_event(event)
+
+    #   self.assertEqual(parsed_event, {
+    #       ...
+    #   })
+
+    #   obj = RlimitRule(RlimitRule.ALL, parsed_event['name2'], log_event=parsed_event)
+
+    #   #              audit  allow  deny   comment        rlimit  value     all?
+    #   expected = exp(False, False, False, ''           , None,   '/foo/rename', False)
+
+    #   self._compare_obj(obj, expected)
+
+    #   self.assertEqual(obj.get_raw(1), '  rlimit -> /foo/rename,')
+
+
+class RlimitFromInit(RlimitTest):
+    tests = [
+        # RlimitRule object                                  audit  allow  deny   comment        rlimit         value     all/infinity?
+        (RlimitRule('as', '2047MB')                     , exp(False, False, False, ''           , 'as'      ,   '2047MB'    , False)),
+        (RlimitRule('cpu', '1024')                      , exp(False, False, False, ''           , 'cpu'     ,   '1024'      , False)),
+        (RlimitRule('rttime', '60minutes')              , exp(False, False, False, ''           , 'rttime'  ,    '60minutes', False)),
+        (RlimitRule('nice', '-10')                      , exp(False, False, False, ''           , 'nice'    ,   '-10'       , False)),
+        (RlimitRule('rss', RlimitRule.ALL)              , exp(False, False, False, ''           , 'rss'     ,   None        , True )),
+    ]
+
+    def _run_test(self, obj, expected):
+        self._compare_obj(obj, expected)
+
+
+class InvalidRlimitInit(AATest):
+    tests = [
+        # init params                     expected exception
+        (['as'  , ''               ]    , AppArmorBug), # empty value
+        ([''    , '1024'           ]    , AppArmorException), # empty rlimit
+        (['    ', '1024'           ]    , AppArmorException), # whitespace rlimit
+        (['as'  , '   '            ]    , AppArmorBug), # whitespace value
+        (['xyxy', '1024'           ]    , AppArmorException), # invalid rlimit
+        ([dict(), '1024'           ]    , AppArmorBug), # wrong type for rlimit
+        ([None  , '1024'           ]    , AppArmorBug), # wrong type for rlimit
+        (['as'  , dict()           ]    , AppArmorBug), # wrong type for value
+        (['as'  , None             ]    , AppArmorBug), # wrong type for value
+        (['cpu' , '100xy2'         ]    , AppArmorException), # invalid unit
+    ]
+
+    def _run_test(self, params, expected):
+        with self.assertRaises(expected):
+            RlimitRule(params[0], params[1])
+
+    def test_missing_params_1(self):
+        with self.assertRaises(TypeError):
+            RlimitRule()
+
+    def test_missing_params_2(self):
+        with self.assertRaises(TypeError):
+            RlimitRule('as')
+
+    def test_allow_keyword(self):
+        with self.assertRaises(AppArmorBug):
+            RlimitRule('as', '1024MB', allow_keyword=True)
+
+    def test_deny_keyword(self):
+        with self.assertRaises(AppArmorBug):
+            RlimitRule('as', '1024MB', deny=True)
+
+    def test_audit_keyword(self):
+        with self.assertRaises(AppArmorBug):
+            RlimitRule('as', '1024MB', audit=True)
+
+
+class InvalidRlimitTest(AATest):
+    def _check_invalid_rawrule(self, rawrule):
+        obj = None
+        self.assertFalse(RlimitRule.match(rawrule))
+        with self.assertRaises(AppArmorException):
+            obj = RlimitRule(RlimitRule.parse(rawrule))
+
+        self.assertIsNone(obj, 'RlimitRule handed back an object unexpectedly')
+
+    def test_invalid_net_missing_comma(self):
+        self._check_invalid_rawrule('rlimit')  # missing comma
+
+    def test_invalid_net_non_RlimitRule(self):
+        self._check_invalid_rawrule('dbus,')  # not a rlimit rule
+
+    def test_empty_net_data_1(self):
+        obj = RlimitRule('as', '1024MB')
+        obj.rlimit = ''
+        # no rlimit set, and ALL not set
+        with self.assertRaises(AppArmorBug):
+            obj.get_clean(1)
+
+    def test_empty_net_data_2(self):
+        obj = RlimitRule('as', '1024MB')
+        obj.value = ''
+        # no value set, and ALL not set
+        with self.assertRaises(AppArmorBug):
+            obj.get_clean(1)
+
+
+class WriteRlimitTest(AATest):
+    tests = [
+        #  raw rule                                                      clean rule
+        ('     set rlimit    cpu   <= 1024     ,    # foo        '              , 'set rlimit cpu <= 1024, # foo'),
+        ('        set     rlimit  stack <= 1024GB  ,'                          , 'set rlimit stack <= 1024GB,'),
+        ('   set rlimit    rttime <= 100ms   ,   # foo bar'   , 'set rlimit rttime <= 100ms, # foo bar'),
+        ('   set rlimit      cpu   <= infinity   ,  '         , 'set rlimit cpu <= infinity,'),
+        ('    set rlimit     msgqueue <=   4444 ,   '         , 'set rlimit msgqueue <= 4444,'),
+        ('    set rlimit   nice    <=  5   ,   # foo bar'     , 'set rlimit nice <= 5, # foo bar'),
+        ('    set rlimit   nice <=   -5    , # cmt'           , 'set rlimit nice <= -5, # cmt'),
+    ]
+
+    def _run_test(self, rawrule, expected):
+        self.assertTrue(RlimitRule.match(rawrule))
+        obj = RlimitRule.parse(rawrule)
+        clean = obj.get_clean()
+        raw = obj.get_raw()
+
+        self.assertEqual(expected.strip(), clean, 'unexpected clean rule')
+        self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
+
+    def test_write_manually(self):
+        obj = RlimitRule('as', '1024MB')
+
+        expected = '    set rlimit as <= 1024MB,'
+
+        self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
+        self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
+
+
+class RlimitCoveredTest(AATest):
+    def _run_test(self, param, expected):
+        obj = RlimitRule.parse(self.rule)
+        check_obj = RlimitRule.parse(param)
+
+        self.assertTrue(RlimitRule.match(param))
+
+        self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in is_equal, expected %s' % expected[0])
+        self.assertEqual(obj.is_equal(check_obj, True), expected[1], 'Mismatch in is_equal/strict, expected %s' % expected[1])
+
+        self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch in is_covered, expected %s' % expected[2])
+        self.assertEqual(obj.is_covered(check_obj, True, True), expected[3], 'Mismatch in is_covered/exact, expected %s' % expected[3])
+
+class RlimitCoveredTest_01(RlimitCoveredTest):
+    rule = 'set rlimit cpu <= 150,'
+
+    tests = [
+        #   rule                            equal     strict equal    covered     covered exact
+        ('set rlimit as <= 100MB,'      , [ False   , False         , False     , False     ]),
+        ('set rlimit rttime <= 150,'    , [ False   , False         , False     , False     ]),
+        ('set rlimit cpu <= 100,'       , [ False   , False         , True      , True      ]),
+        ('set rlimit cpu <= 150,'       , [ True    , True          , True      , True      ]),
+        ('set rlimit cpu <= 300,'       , [ False   , False         , False     , False     ]),
+        ('set rlimit cpu <= 10seconds,' , [ False   , False         , True      , True      ]),
+        ('set rlimit cpu <= 150seconds,', [ True    , False         , True      , True      ]),
+        ('set rlimit cpu <= 300seconds,', [ False   , False         , False     , False     ]),
+        ('set rlimit cpu <= 1minutes,'  , [ False   , False         , True      , True      ]),
+        ('set rlimit cpu <= 1m,'        , [ False   , False         , True      , True      ]),
+        ('set rlimit cpu <= 3minutes,'  , [ False   , False         , False     , False     ]),
+        ('set rlimit cpu <= 1hour,'     , [ False   , False         , False     , False     ]),
+    ]
+
+class RlimitCoveredTest_02(RlimitCoveredTest):
+    rule = 'set rlimit data <= 4MB,'
+
+    tests = [
+        #   rule                            equal     strict equal    covered     covered exact
+        ('set rlimit data <= 100,'      , [ False   , False         , True      , True      ]),
+        ('set rlimit data <= 2KB,'      , [ False   , False         , True      , True      ]),
+        ('set rlimit data <= 2MB,'      , [ False   , False         , True      , True      ]),
+        ('set rlimit data <= 4194304,'  , [ True    , False         , True      , True      ]),
+        ('set rlimit data <= 4096KB,'   , [ True    , False         , True      , True      ]),
+        ('set rlimit data <= 4MB,'      , [ True    , True          , True      , True      ]),
+        ('set rlimit data <= 6MB,'      , [ False   , False         , False     , False     ]),
+        ('set rlimit data <= 1GB,'      , [ False   , False         , False     , False     ]),
+    ]
+
+class RlimitCoveredTest_03(RlimitCoveredTest):
+    rule = 'set rlimit nice <= -1,'
+
+    tests = [
+        #   rule                            equal     strict equal    covered     covered exact
+        ('set rlimit nice <= 5,'        , [ False   , False         , True      , True      ]),
+        ('set rlimit nice <= 0,'        , [ False   , False         , True      , True      ]),
+        ('set rlimit nice <= -1,'       , [ True    , True          , True      , True      ]),
+        ('set rlimit nice <= -3,'       , [ False   , False         , False     , False     ]),
+    ]
+
+class RlimitCoveredTest_04(RlimitCoveredTest):
+    rule = 'set rlimit locks <= 42,'
+
+    tests = [
+        #   rule                            equal     strict equal    covered     covered exact
+        ('set rlimit locks <= 20,'      , [ False   , False         , True      , True      ]),
+        ('set rlimit locks <= 40,'      , [ False   , False         , True      , True      ]),
+        ('set rlimit locks <= 42,'      , [ True    , True          , True      , True      ]),
+        ('set rlimit locks <= 60,'      , [ False   , False         , False     , False     ]),
+        ('set rlimit locks <= infinity,', [ False   , False         , False     , False     ]),
+    ]
+
+class RlimitCoveredTest_05(RlimitCoveredTest):
+    rule = 'set rlimit locks <= infinity,'
+
+    tests = [
+        #   rule                            equal     strict equal    covered     covered exact
+        ('set rlimit locks <= 20,'      , [ False   , False         , True      , True      ]),
+        ('set rlimit cpu <= 40,'        , [ False   , False         , False     , False     ]),
+        ('set rlimit locks <= infinity,', [ True    , True          , True      , True      ]),
+    ]
+
+class RlimitCoveredTest_Invalid(AATest):
+    def test_borked_obj_is_covered_1(self):
+        obj = RlimitRule.parse('set rlimit cpu <= 1024,')
+
+        testobj = RlimitRule('cpu', '1024')
+        testobj.rlimit = ''
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_covered(testobj)
+
+    def test_borked_obj_is_covered_2(self):
+        obj = RlimitRule.parse('set rlimit cpu <= 1024,')
+
+        testobj = RlimitRule('cpu', '1024')
+        testobj.value = ''
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_covered(testobj)
+
+    def test_invalid_is_covered(self):
+        obj = RlimitRule.parse('set rlimit cpu <= 1024,')
+
+        testobj = BaseRule()  # different type
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_covered(testobj)
+
+    def test_invalid_is_equal(self):
+        obj = RlimitRule.parse('set rlimit cpu <= 1024,')
+
+        testobj = BaseRule()  # different type
+
+        with self.assertRaises(AppArmorBug):
+            obj.is_equal(testobj)
+
+class RlimitLogprofHeaderTest(AATest):
+    tests = [
+        ('set rlimit cpu <= infinity,',         [_('Rlimit'), 'cpu',     _('Value'), 'infinity', ]),
+        ('set rlimit as <= 200MB,',             [_('Rlimit'), 'as',      _('Value'), '200MB',    ]),
+        ('set rlimit rttime <= 200ms,',         [_('Rlimit'), 'rttime',  _('Value'), '200ms',    ]),
+        ('set rlimit nproc <= 1,',              [_('Rlimit'), 'nproc',   _('Value'), '1',        ]),
+    ]
+
+    def _run_test(self, params, expected):
+        obj = RlimitRule._parse(params)
+        self.assertEqual(obj.logprof_header(), expected)
+
+# --- tests for RlimitRuleset --- #
+
+class RlimitRulesTest(AATest):
+    def test_empty_ruleset(self):
+        ruleset = RlimitRuleset()
+        ruleset_2 = RlimitRuleset()
+        self.assertEqual([], ruleset.get_raw(2))
+        self.assertEqual([], ruleset.get_clean(2))
+        self.assertEqual([], ruleset_2.get_raw(2))
+        self.assertEqual([], ruleset_2.get_clean(2))
+
+    def test_ruleset_1(self):
+        ruleset = RlimitRuleset()
+        rules = [
+            '  set rlimit cpu  <= 100,',
+            '  set rlimit as   <= 50MB,',
+        ]
+
+        expected_raw = [
+            'set rlimit cpu  <= 100,',
+            'set rlimit as   <= 50MB,',
+            '',
+        ]
+
+        expected_clean = [
+            'set rlimit as <= 50MB,',
+            'set rlimit cpu <= 100,',
+            '',
+        ]
+
+        for rule in rules:
+            ruleset.add(RlimitRule.parse(rule))
+
+        self.assertEqual(expected_raw, ruleset.get_raw())
+        self.assertEqual(expected_clean, ruleset.get_clean())
+
+class RlimitGlobTestAATest(AATest):
+    def setUp(self):
+        self.ruleset = RlimitRuleset()
+
+    def test_glob_1(self):
+        with self.assertRaises(AppArmorBug):
+            self.ruleset.get_glob('set rlimit cpu <= 100,')
+
+    # not supported or used yet, glob behaviour not decided yet
+    # def test_glob_2(self):
+    #     self.assertEqual(self.ruleset.get_glob('rlimit /foo -> /bar,'), 'rlimit -> /bar,')
+
+    def test_glob_ext(self):
+        with self.assertRaises(AppArmorBug):
+            # get_glob_ext is not available for rlimit rules
+            self.ruleset.get_glob_ext('set rlimit cpu <= 100,')
+
+class RlimitDeleteTestAATest(AATest):
+    # no de-duplication tests for rlimit - de-duplication consists of is_covered() (which we already test) and
+    # code from BaseRuleset (which is already tested in the capability, network and change_profile tests).
+    # Therefore no need to test it once more ;-)
+    pass
+
+
+# --- other tests --- #
+class RlimitSplit_unitTest(AATest):
+    tests = [
+        ('40MB'  , ( 40, 'MB',)),
+        ('40'  ,   ( 40, '',  )),
+    ]
+
+    def _run_test(self, params, expected):
+        self.assertEqual(split_unit(params), expected)
+
+    def test_invalid_split_unit(self):
+        with self.assertRaises(AppArmorBug):
+            split_unit('MB')
+
+class RlimitSize_to_intTest(AATest):
+    def AASetup(self):
+        self.obj = RlimitRule('cpu', '1')
+
+    tests = [
+        ('40GB'  , 40 * 1024 * 1024 * 1024),
+        ('40MB'  , 41943040),
+        ('40KB'  , 40960),
+        ('40'    , 40),
+    ]
+
+    def _run_test(self, params, expected):
+        self.assertEqual(self.obj.size_to_int(params), expected)
+
+    def test_invalid_size_to_int_01(self):
+        with self.assertRaises(AppArmorException):
+            self.obj.size_to_int('20mice')
+
+class RlimitTime_to_intTest(AATest):
+    def AASetup(self):
+        self.obj = RlimitRule('cpu', '1')
+
+    tests = [
+        ('30us'     ,       0.00003),
+        ('40ms'     ,       0.04),
+        ('40'       ,      40),
+        ('40seconds',      40),
+        ('2minutes' ,    2*60),
+        ('2hours'   , 2*60*60),
+    ]
+
+    def _run_test(self, params, expected):
+        self.assertEqual(self.obj.time_to_int(params, 'seconds'), expected)
+
+    def test_with_ms_as_default(self):
+        self.assertEqual(self.obj.time_to_int('40', 'ms'), 0.04)
+
+    def test_with_us_as_default(self):
+        self.assertEqual(self.obj.time_to_int('30', 'us'), 0.00003)
+
+    def test_invalid_time_to_int(self):
+        with self.assertRaises(AppArmorException):
+            self.obj.time_to_int('20mice', 'seconds')
+
+
+
+setup_all_loops(__name__)
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/utils/test/test-severity.py b/utils/test/test-severity.py
index c9065fc9f..1686f31a2 100755
--- a/utils/test/test-severity.py
+++ b/utils/test/test-severity.py
@@ -2,6 +2,7 @@
 # ----------------------------------------------------------------------
 #    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
 #    Copyright (C) 2014 Canonical, Ltd.
+#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -13,86 +14,67 @@
 #    GNU General Public License for more details.
 #
 # ----------------------------------------------------------------------
-import os
-import shutil
-import tempfile
 import unittest
+from common_test import AATest, setup_all_loops
 
 import apparmor.severity as severity
 from apparmor.common import AppArmorException
-from common_test import write_file
 
-class SeverityBaseTest(unittest.TestCase):
+class SeverityBaseTest(AATest):
 
-    def setUp(self):
-        self.sev_db = severity.Severity('severity.db')
-
-    def tearDown(self):
-        pass
+    def AASetup(self):
+        self.sev_db = severity.Severity('severity.db', 'unknown')
 
     def _simple_severity_test(self, path, expected_rank):
         rank = self.sev_db.rank(path)
         self.assertEqual(rank, expected_rank,
-                         'expected rank %d, got %d' % (expected_rank, rank))
+                         'expected rank %s, got %s' % (expected_rank, rank))
 
     def _simple_severity_w_perm(self, path, perm, expected_rank):
         rank = self.sev_db.rank(path, perm)
         self.assertEqual(rank, expected_rank,
-                         'expected rank %d, got %d' % (expected_rank, rank))
+                         'expected rank %s, got %s' % (expected_rank, rank))
 
 class SeverityTest(SeverityBaseTest):
-    def test_perm_x(self):
-        self._simple_severity_w_perm('/usr/bin/whatis', 'x', 5)
+    tests = [
+        (['/usr/bin/whatis',    'x'     ],  5),
+        (['/etc',               'x'     ],  'unknown'),
+        (['/dev/doublehit',     'x'     ],  0),
+        (['/dev/doublehit',     'rx'    ],  4),
+        (['/dev/doublehit',     'rwx'   ],  8),
+        (['/dev/tty10',         'rwx'   ],  9),
+        (['/var/adm/foo/**',    'rx'    ],  3),
+        (['/etc/apparmor/**',   'r'     ],  6),
+        (['/etc/**',            'r'     ],  'unknown'),
+        (['/usr/foo@bar',       'r'     ],  'unknown'),  ## filename containing @
+        (['/home/foo@bar',      'rw'    ],  6),  ## filename containing @
+    ]
 
-    def test_perm_etc_x(self):
-        self._simple_severity_w_perm('/etc', 'x', 10)
-
-    def test_perm_dev_x(self):
-        self._simple_severity_w_perm('/dev/doublehit', 'x', 0)
-
-    def test_perm_dev_rx(self):
-        self._simple_severity_w_perm('/dev/doublehit', 'rx', 4)
-
-    def test_perm_dev_rwx(self):
-        self._simple_severity_w_perm('/dev/doublehit', 'rwx', 8)
-
-    def test_perm_tty_rwx(self):
-        self._simple_severity_w_perm('/dev/tty10', 'rwx', 9)
-
-    def test_perm_glob_1(self):
-        self._simple_severity_w_perm('/var/adm/foo/**', 'rx', 3)
-
-    def test_cap_kill(self):
-        self._simple_severity_test('CAP_KILL', 8)
-
-    def test_cap_setpcap(self):
-        self._simple_severity_test('CAP_SETPCAP', 9)
-
-    def test_cap_setpcap_lowercase(self):
-        self._simple_severity_test('CAP_setpcap', 9)
-
-    def test_cap_unknown_1(self):
-        self._simple_severity_test('CAP_UNKNOWN', 10)
-
-    def test_cap_unknown_2(self):
-        self._simple_severity_test('CAP_K*', 10)
-
-    def test_perm_apparmor_glob(self):
-        self._simple_severity_w_perm('/etc/apparmor/**', 'r' , 6)
-
-    def test_perm_etc_glob(self):
-        self._simple_severity_w_perm('/etc/**', 'r' , 10)
-
-    def test_perm_filename_w_at_r(self):
-        self._simple_severity_w_perm('/usr/foo@bar', 'r' , 10)  ## filename containing @
-
-    def test_perm_filename_w_at_rw(self):
-        self._simple_severity_w_perm('/home/foo@bar', 'rw', 6)  ## filename containing @
+    def _run_test(self, params, expected):
+        self._simple_severity_w_perm(params[0], params[1], expected)  ## filename containing @
 
     def test_invalid_rank(self):
         with self.assertRaises(AppArmorException):
             self._simple_severity_w_perm('unexpected_unput', 'rw', 6)
 
+class SeverityTestCap(SeverityBaseTest):
+    tests = [
+        ('KILL', 8),
+        ('SETPCAP', 9),
+        ('setpcap', 9),
+        ('UNKNOWN', 'unknown'),
+        ('K*', 'unknown'),
+        ('__ALL__', 10),
+    ]
+
+    def _run_test(self, params, expected):
+        cap_with_prefix = 'CAP_%s' % params
+        self._simple_severity_test(cap_with_prefix, expected)
+
+        rank = self.sev_db.rank_capability(params)
+        self.assertEqual(rank, expected, 'expected rank %s, got %s' % (expected, rank))
+
+
 class SeverityVarsTest(SeverityBaseTest):
 
     VARIABLE_DEFINITIONS = '''
@@ -106,42 +88,31 @@ class SeverityVarsTest(SeverityBaseTest):
 @{pid}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
 @{tid}=@{pid}
 @{pids}=@{pid}
+@{somepaths}=/home/foo/downloads @{HOMEDIRS}/foo/.ssh/
 '''
 
-    def setUp(self):
-        super(SeverityVarsTest, self).setUp()
-        self.tmpdir = tempfile.mkdtemp(prefix='aa-severity-')
-
     def _init_tunables(self, content=''):
         if not content:
             content = self.VARIABLE_DEFINITIONS
 
-        self.rules_file = write_file(self.tmpdir, 'tunables', content)
+        self.rules_file = self.writeTmpfile('tunables', content)
 
         self.sev_db.load_variables(self.rules_file)
 
-    def tearDown(self):
+    def AATeardown(self):
         self.sev_db.unload_variables()
-        if os.path.exists(self.tmpdir):
-            shutil.rmtree(self.tmpdir)
 
-        super(SeverityVarsTest, self).tearDown()
+    tests = [
+        (['@{PROC}/sys/vm/overcommit_memory',           'r'],    6),
+        (['@{HOME}/sys/@{PROC}/overcommit_memory',      'r'],    4),
+        (['/overco@{multiarch}mmit_memory',             'r'],    'unknown'),
+        (['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory',  'r'],    6),
+        (['@{somepaths}/somefile',                      'r'],    7),
+    ]
 
-    def test_proc_var(self):
+    def _run_test(self, params, expected):
         self._init_tunables()
-        self._simple_severity_w_perm('@{PROC}/sys/vm/overcommit_memory', 'r', 6)
-
-    def test_home_var(self):
-        self._init_tunables()
-        self._simple_severity_w_perm('@{HOME}/sys/@{PROC}/overcommit_memory', 'r', 10)
-
-    def test_multiarch_var(self):
-        self._init_tunables()
-        self._simple_severity_w_perm('/overco@{multiarch}mmit_memory', 'r', 10)
-
-    def test_proc_tftp_vars(self):
-        self._init_tunables()
-        self._simple_severity_w_perm('@{PROC}/sys/@{TFTP_DIR}/overcommit_memory', 'r', 6)
+        self._simple_severity_w_perm(params[0], params[1], expected)
 
     def test_include(self):
         self._init_tunables('#include <file/not/found>')  # including non-existing files doesn't raise an exception
@@ -156,20 +127,30 @@ class SeverityVarsTest(SeverityBaseTest):
         with self.assertRaises(AppArmorException):
             self._init_tunables('@{foo} = /home/\n@{foo} = /root/')
 
-class SeverityDBTest(unittest.TestCase):
-
-    def setUp(self):
-        self.tmpdir = tempfile.mkdtemp(prefix='aa-severity-db-')
-
-    def tearDown(self):
-        if os.path.exists(self.tmpdir):
-            shutil.rmtree(self.tmpdir)
-
+class SeverityDBTest(AATest):
     def _test_db(self, contents):
-        self.db_file = write_file(self.tmpdir, 'severity.db', contents)
+        self.db_file = self.writeTmpfile('severity.db', contents)
         self.sev_db = severity.Severity(self.db_file)
         return self.sev_db
 
+    tests = [
+        ("CAP_LEASE 18\n"               , AppArmorException),  # out of range
+        ("CAP_LEASE -1\n"               , AppArmorException),  # out of range
+        ("/etc/passwd* 0 4\n"           , AppArmorException),  # insufficient vals
+        ("/etc/passwd* 0 4 5 6\n"       , AppArmorException),  # too many vals
+        ("/etc/passwd* -2 4 6\n"        , AppArmorException),  # out of range
+        ("/etc/passwd* 12 4 6\n"        , AppArmorException),  # out of range
+        ("/etc/passwd* 2 -4 6\n"        , AppArmorException),  # out of range
+        ("/etc/passwd 2 14 6\n"         , AppArmorException),  # out of range
+        ("/etc/passwd 2 4 -12\n"        , AppArmorException),  # out of range
+        ("/etc/passwd 2 4 4294967297\n" , AppArmorException),  # out of range
+        ("garbage line\n"               , AppArmorException),
+    ]
+
+    def _run_test(self, params, expected):
+        with self.assertRaises(expected):
+            self._test_db(params)
+
     def test_simple_db(self):
         self._test_db('''
     CAP_LEASE 8
@@ -182,50 +163,6 @@ class SeverityDBTest(unittest.TestCase):
     def test_cap_val_min_range(self):
         self._test_db("CAP_LEASE 0\n")
 
-    def test_cap_val_out_of_range_1(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("CAP_LEASE 18\n")
-
-    def test_cap_val_out_of_range_2(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("CAP_LEASE -1\n")
-
-    def test_path_insufficient_vals(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd* 0 4\n")
-
-    def test_path_too_many_vals(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd* 0 4 5 6\n")
-
-    def test_path_outside_range_1(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd* -2 4 6\n")
-
-    def test_path_outside_range_2(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd* 12 4 6\n")
-
-    def test_path_outside_range_3(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd* 2 -4 6\n")
-
-    def test_path_outside_range_4(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd 2 14 6\n")
-
-    def test_path_outside_range_5(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd 2 4 -12\n")
-
-    def test_path_outside_range_6(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("/etc/passwd 2 4 4294967297\n")
-
-    def test_garbage_line(self):
-        with self.assertRaises(AppArmorException):
-            self._test_db("garbage line\n")
-
     def test_invalid_db(self):
         self.assertRaises(AppArmorException, severity.Severity, 'severity_broken.db')
 
@@ -236,5 +173,6 @@ class SeverityDBTest(unittest.TestCase):
         with self.assertRaises(AppArmorException):
             severity.Severity()
 
-if __name__ == "__main__":
+setup_all_loops(__name__)
+if __name__ == '__main__':
     unittest.main(verbosity=2)