(policy read-write (
  (if (must (
        (equal (attr action "operation") "file-access")))
      (then (
        (drop (cap))
        (grant (
          (cap READ)
          (cap WRITE)))))))) 

(policy read-only-logs (
  (if (must (
        (equal (attr action "operation") "file-access")
        (equal (attr resource "type") "log")))
      (then (
        (drop (cap))
        (grant (
          (cap READ))))))))