Grsecurity/Appendix/Role Modes
< Grsecurity | Appendix
| Mode | Meaning |
|---|---|
| u | This role is a user role. That is, the role name must be an existing user on the system. |
| g | This role is a group role. That is, the role name must be an existing group on the system. |
| s | This role is a special role, meaning it does not belong to a user or group and does not require an enforced secure policy base to be included in the ruleset. |
| l | Lowercase L. This role has learning enabled. |
| A | This role is an administrative role, thus it has special privileges that normal roles do not have. In particular, this role bypasses the additional ptrace and library loading restrictions. |
| G | This role can use gradm to authenticate to the kernel. A policy for gradm will automatically be added to the role. |
| N | This role does not require authentication. To access this role, use 'gradm -n <rolename>'. |
| P | This role uses Pluggable Authentication Modules (PAM) for authentication. |
| T | This role has Trusted Path Execution (TPE) enabled. |
| R | The role is persistent. When the shell/session in which authorization was done is terminated, spawned processes won't be dropped to non-special role. Do NOT use this flag with any role that does anything but shut the system down. |