# Drop (user, group) to (nobody, nobody) | |
allow servicemanager self:capability { setuid setgid dac_override setpcap net_raw }; | |
allow servicemanager init:dir search; | |
allow servicemanager init:file { read open }; | |
allow servicemanager init:process getattr; | |
#HACK allow servicemanager init_shell:dir search; | |
#HACK allow servicemanager init_shell:file { read open }; | |
#HACK allow servicemanager init_shell:process getattr; |