PolicyDifferenceTest: fix invalid policies.

Found the policy compile-load has a bug and does not detect if a user's
default level is not within the allowed range.

Opened #72 to track.

tests/diff.py

@@ -887,9 +887,9 @@ def test_modified_user_change_level(self):
 
     def test_modified_user_change_range(self):
         """Diff: modified user due to modified range."""
-        self.assertEqual("s3:c1.c3",
+        self.assertEqual("s3:c1 - s3:c1.c3",
                          self.diff.modified_users["modified_change_range"].removed_range)
-        self.assertEqual("s3:c1.c4",
+        self.assertEqual("s3:c1 - s3:c1.c4",
                          self.diff.modified_users["modified_change_range"].added_range)
 
     #

tests/diff_left.conf

@@ -606,8 +606,8 @@ user removed_user roles system level s0 range s0;
 
 user modified_add_role roles system level s2 range s2;
 user modified_remove_role roles { system removed_role } level s2 range s2;
-user modified_change_level roles system level s2:c0 range s2:c0,c1;
-user modified_change_range roles system level s3:c1 range s3:c1.c3;
+user modified_change_level roles system level s2:c0 range s2:c0 - s2:c0,c1;
+user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c3;
 
 #normal constraints
 constrain infoflow hi_w (u1 == u2);

tests/diff_right.conf

@@ -606,8 +606,8 @@ user added_user roles system level s1 range s1;
 
 user modified_add_role roles { system added_role } level s2 range s2;
 user modified_remove_role roles system level s2 range s2;
-user modified_change_level roles system level s2:c1 range s2:c0,c1;
-user modified_change_range roles system level s3:c1 range s3:c1.c4;
+user modified_change_level roles system level s2:c1 range s2:c1 - s2:c0,c1;
+user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c4;
 
 #normal constraints
 constrain infoflow hi_w (u1 == u2);