allow cnd system_data_file:file { getattr ioctl read };