Just out of curiousity, is there any provision for some rudimentary kind of templating in creating RBAC roles? Ferinstance, I think it would be super-helpful if we could just define a variable of "valid usernames", and then create one role-template for them that is smart enough to understand stuff like "home directories" being /some/path/$valid_username/blargh, instead of having to be /some/path/hardcoded.username/blargh, repeated umpty-billion times (I won't even frighten you with the vast, ugly mess that is our current production policy file. Let's just say it's 1,952,621 lines, takes 20 minutes to reload, and leave it at that)
Is something like that already available in grsec, and I just haven't found it yet?
--Lee