Comment 2 for bug 670639

Hi,

The issue with the failing profile is that there are legitimate conflicting X transitions:

  # encrypted ~/.Private and old-style encrypted $HOME
  owner @{HOME}/.Private/** mrixwlk,
  # new-style encrypted $HOME
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,

and

  owner @{HOMEDIRS}/bin/** Pixmr,

where HOMEDIRS = /home/ and HOME = /home/*, that results in:

  /home/*/.Private/** mrixwlk,
  /home/bin/** Pixmr,

even adjusting the latter rule to be @{HOME} rather than @{HOMEDIRS} still results in a conflict with the "new-style encrypted $HOME" rule:

  /home/.ecryptfs/*/.Private/** mrixwlk,
  /home/*/bin/** Pixmr,

However, the parser has been updated to have a slightly better error message when conflicts like this occur, currently it reports the following when given profiles such as these:

  $ apparmor_parser -Q bug_fails.p
  profile has merged rule with conflicting x modifiers
  ERROR processing regexs for profile confined_user, failed to load

though ideally it would give a better indication as to which rules are conflicting.

I'm going to mark this bug as incomplete as the error message has been improved, but ideally would be improved more; however, I'm not sure at the point where the DFA computation detects that there are overlapping 'x' rules it has enough information to backtrack to identify which rules are problematic.