module my_module 1.0;
require {
bool secure_mode;
type system_t, sysadm_t, file_t;
attribute domain;
role system_r;
class file {read write};
}
type new_t, domain;
role system_r types new_t;
allow system_t file_t : file { read write };
if (secure_mode)
{
allow sysadm_t file_t : file { read write };
}