# handle_unknown deny
class CLASS1
sid kernel
class CLASS1 { PERM1 }
type TYPE1;
allow TYPE1 self:CLASS1 { PERM1 };
role ROLE1;
role ROLE1 types { TYPE1 };
user USER1 roles ROLE1;
sid kernel USER1:ROLE1:TYPE1