# only root
all                                root

# this should fire for beta only
!cap_chown                         beta

# the next one should snag gamma since beta done
cap_setuid,cap_chown               @three

# neither of these should fire
cap_chown                          beta gamma

# just alpha
!cap_chown,cap_setuid              @one

# not this one
^cap_setuid                        alpha

# this should fire
^cap_chown,^cap_setgid,!cap_setuid delta

# not this one
cap_setuid                         @four