I was thinking about possibility of specifying something like 'global ACL'.
Lets say, we have a configuration file 'globals' or whatever, which will contain ACL for an object.....say /proc/modules h
Then it would be valid for any role and any subject across whole ACL structure, unless the subject explicitly specifies other access to this object(so /proc r in the example would still hide modules, /proc/modules r directly would override global flag and allow reading for given object).
Good idea, or not?