Torsten Wortwein wrote: > Is it possible to bind '\$' for a query occurring during run-time and > then use it in the rules? With the following, I want to allow only root > and the current process to read its /proc/\$/mem. Is something > like this possible with caitsith? Such binding is not possible, but "/proc/self" is represented as "proc:/self" rather than "proc:/\$". Thus, > > 10 acl read /proc/\$/mem > 1 allow task.euid=0 > 10 allow task.pid=\$ > 100 deny I think you want something like below. 10 acl read path.fsmagic=0x9FA0 path="proc:/\*/mem" audit 0 10 allow path="proc:/self/mem" 20 allow task.uid=0 task.gid=0 task.euid=0 task.egid=0 30 deny This example checks filesystem magic before checking pathnames so that the kernel does not need to evaluate "proc:/\*/mem" for pathnames not in proc filesystem.