1 # Drop (user, group) to (nobody, nobody) 2 allow servicemanager self:capability { setuid setgid dac_override setpcap net_raw }; 3 4 allow servicemanager init:dir search; 5 allow servicemanager init:file { read open }; 6 allow servicemanager init:process getattr; 7 #HACK allow servicemanager init_shell:dir search; 8 #HACK allow servicemanager init_shell:file { read open }; 9 #HACK allow servicemanager init_shell:process getattr; 10
