Generating ACLs from the learning mode is a very useful - and obvious - way of starting but sometimes allows too much to be seen.
Would it be possible to have "strict" mode for gradm (grsec2) which generates nested subjects. In this way, /etc/passwd for example would only be read by the programs which access it and it could not be read by a simple bash command issued by a user.
There are many other examples of ACLs generated that are rather too lax - a simple learning operation which just ssh's in and logs out will generate a rw for /dev/log which means that the system refuses to start.