Grsecurity/Appendix/Role Modes

Grsecurity and PaX Configuration Options Role Modes Role Attributes

Mode Meaning
u This role is a user role. That is, the role name must be an existing user on the system.
g This role is a group role. That is, the role name must be an existing group on the system.
s This role is a special role, meaning it does not belong to a user or group and does not require an enforced secure policy base to be included in the ruleset.
l Lowercase L. This role has learning enabled.
A This role is an administrative role, thus it has special privileges that normal roles do not have. In particular, this role bypasses the additional ptrace and library loading restrictions.
G This role can use gradm to authenticate to the kernel. A policy for gradm will automatically be added to the role.
N This role does not require authentication. To access this role, use 'gradm -n <rolename>'.
P This role uses Pluggable Authentication Modules (PAM) for authentication.
T This role has Trusted Path Execution (TPE) enabled.
R The role is persistent. When the shell/session in which authorization was done is terminated, spawned processes won't be dropped to non-special role. Do NOT use this flag with any role that does anything but shut the system down.