1# handle_unknown deny 2class CLASS1 3sid kernel 4class CLASS1 { PERM1 } 5type TYPE1; 6allow TYPE1 self:CLASS1 { PERM1 }; 7role ROLE1; 8role ROLE1 types { TYPE1 }; 9user USER1 roles ROLE1; 10sid kernel USER1:ROLE1:TYPE1 11