policy read-write
  ## drop all capabilities
  drop (cap)
  ## allow read and write capabilies when all 
  ## other statements match
  allow (cap READ) and (cap WRITE)
  action is file-access

policy read-only-logs 
  drop (cap)
  allow (cap READ)
  action is file-access of type log