Hi, My policy makes heavy use of neverallow statements and permissionsets. I wanted to optimize it by using classmappings. I've found that calling classmapping with an anonymous permissionset that results in an empty set breaks neverallow statements using those classmaps. I think that this should be allowed. classmapping only ever adds permissions to a classmap, so if it is called with an empty permission set it should result in a no-op. A minimal reproducer follows: ; test.cil (user u) (userrole u r) (role r) (roletype r t) (type t) (sensitivity s0) (sensitivityorder (s0)) (userlevel u (s0)) (userrange u ((s0) (s0))) (sid kernel) (sidorder (kernel)) (context kernel_c (u r t ((s0) (s0)))) (sidcontext kernel kernel_c) ;; Begin interesting stuff (class file (open read)) (class dir (getattr search)) (classorder (unordered file dir)) (type a) (type b) (classmap testmap (internal)) (classmapping testmap internal (file (not (open read)))) ; results in empty set (classmapping testmap internal (dir (getattr))) (allow a b (testmap (internal))) (neverallow a b (testmap (internal))) ; Results in 'allow a b:dir getattr;' but should have failed during Neverallow checks -- bauen1 https://dn42.bauen1.xyz/