Stephen Smalley committed d0d4709

zygote needs setpcap in order to drop capabilities from bounding set.

Comments (0)

Files changed (1)

 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
 allow zygote self:capability { dac_override setgid setuid };
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
 allow zygote system:process dyntransition;
 allow zygote appdomain:process dyntransition;