allow zygote self:capability sys_nice;
allow zygote proc_cmdline:file { getattr open read };