allow per_mgr self:capability net_raw;
allow per_mgr unlabeled:file { getattr open read };
allow per_mgr servicemanager:binder { call transfer };