policy write-only
  drop (cap)
  allow (cap WRITE)
  action is file-access
  subject must have attribute "logger"
  subject must not have attribute "public"

test write-only
  as correct
    with action as file-access
    with empty subject 
      apply attribute as tag "logger"
    so only (cap WRITE)
    if failure then break circuit

  as incorrect
    with action as file-access
    with empty subject 
      apply attribute as tag "logger"
      apply attribute as tag "public"
    so not (cap)
    if failure then break circuit