module my_module 1.0;

require { 
	bool secure_mode;
	type system_t, sysadm_t, file_t;
	attribute domain;
	role system_r;
	class file {read write};
	
}

type new_t, domain;
role system_r types new_t;

allow system_t file_t : file { read write };

if (secure_mode)
{
	allow sysadm_t file_t : file { read write };
}