resource bar {}

domain foo {
	allow(this);
	allow(this, bar, [file dir], [read write]);
	allow(this, bar, file, bad_perm);
}