1# Drop (user, group) to (nobody, nobody) 2allow servicemanager self:capability { setuid setgid dac_override setpcap net_raw }; 3 4allow servicemanager init:dir search; 5allow servicemanager init:file { read open }; 6allow servicemanager init:process getattr; 7#HACK allow servicemanager init_shell:dir search; 8#HACK allow servicemanager init_shell:file { read open }; 9#HACK allow servicemanager init_shell:process getattr; 10