Clarify extended permission evaluation

Adding documentation to clarify the automatic-deny
evaluation when extended permissions are defined,
as well as the overall evaluation logic.

Signed-off-by: Liz Prucka <[email protected]>

Author: eprucka3

src/xperm_rules.md

@@ -1,5 +1,6 @@
 # Extended Access Vector Rules
 
+- [Extended Permission Evaluation](#extended-permission-evaluation)
 - [*ioctl* Operation Rules](#ioctl-operation-rules)
 - [*nlmsg* Operation Rules](#nlmsg-operation-rules)
 
@@ -74,6 +75,26 @@ Conditional Policy Statements
 | ----------------------- | ----------------------- | ----------------------- |
 | No                      | No                      | No                      |
 
+### Extended Permission Evaluation
+
+Extended permission rules are evaluated as follows:
+
+* If no extended permissions are defined, only the resource-level policy is
+  considered.
+
+* If an extended permission rule is defined, the policy is first evaluated
+  according to the high-level resource policy. For example:
+
+  * If an *allowxperm* rule is defined, extended permissions will only be
+    granted if *allow* is granted to the resource. 
+
+  * If an *auditallowxperm* rule is defined, extended audit permissions will only 
+    be granted if *auditallow* is granted to the resource. 
+
+* If any extended permission rule is defined, the resource and operation are fully
+  evaluated according to extended access rules. All undefined permissions within 
+  the available *xperm_set* will be automatically denied.
+
 ### *ioctl* Operation Rules
 
 Use cases and implementation details for ioctl command allowlists are described