Clarify extended permission evaluation

Adding documentation to clarify the automatic-deny
evaluation when extended permissions are defined,
as well as the overall evaluation logic.

Signed-off-by: Liz Prucka <[email protected]>

Author: eprucka3

src/xperm_rules.md

@@ -1,5 +1,6 @@
 # Extended Access Vector Rules
 
+- [Extended Permission Evaluation](#extended-permission-evaluation)
 - [*ioctl* Operation Rules](#ioctl-operation-rules)
 - [*nlmsg* Operation Rules](#nlmsg-operation-rules)
 
@@ -74,6 +75,29 @@ Conditional Policy Statements
 | ----------------------- | ----------------------- | ----------------------- |
 | No                      | No                      | No                      |
 
+### Extended Permission Evaluation
+
+Extended permission rules are evaluated as follows:
+
+* If no extended permissions are defined, the standard SELinux checks around AVC
+  rules and constraints will be performed.
+
+* If an extended permission rule is defined, the policy is evaluated so that
+  both the standard AVC checks and the extended permissions must pass. For example:
+
+  * If an *allowxperm* rule is defined, extended permissions will only be
+    granted if *allow* is granted to the resource. 
+
+  * If an *auditallowxperm* rule is defined, extended auditing will only 
+    be performed if *auditallow* is allowed for the resource. 
+
+* If any extended permission rule is defined, the resource and operation are fully
+  evaluated according to extended access rules. All unspecified permissions within 
+  the available *xperm_set* will be automatically denied.
+
+All extended permissions are deny-by-default. If extended permission rules are used,
+any allow permissions must be granted explicitely.
+
 ### *ioctl* Operation Rules
 
 Use cases and implementation details for ioctl command allowlists are described