Systrace

[Sebastian Yoma Q.]

Holas,
Estoy administrando usuarios mediante systrace (usando 'policies' para 
restringir el acceso a las llamadas del sistema). A los usuarios le 
tengo permitido escribir dentro de su home ( fswrtite: filename  match 
"$HOME" then permit ) y escribir en /tmp. Al 'loguearse' con el usuario 
que esta siendo monitoriado por systrace, me deja crear directorios 
(mkdir test ) dentro de su home, pero al crear archivos planos (touch 
asddfs ) me lo impide. Al igual que escribir dentro de /tmp.
Las 'politicas' que estoy usando son las siguientes:

Policy: /usr/pkg/bin/bash, Emulation: netbsd
netbsd-mmap: permit
netbsd-write: permit
netbsd-exit: permit
netbsd-fsread: filename eq "/etc/ld.so.conf" then permit
netbsd-fsread: filename match "/<non-existent filename>: /usr/pkg/lib/*" 
then permit
netbsd-fsread: filename match "/lib/*" then permit
netbsd-__fstat13: permit
netbsd-close: permit
netbsd-fsread: filename match "/<non-existent filename>: 
/usr/local/lib/*" then permit
netbsd-fsread: filename match "/usr/lib/*" then permit
netbsd-munmap: permit
netbsd-fswrite: filename match "/dev/tty*" then permit
netbsd-ioctl: permit
netbsd-issetugid: permit
netbsd-__sysctl: permit
netbsd-break: permit
netbsd-__sigprocmask: permit
netbsd-getuid: permit
netbsd-getgid: permit
netbsd-geteuid: permit
netbsd-getegid: permit
netbsd-__sigprocmask14: permit
netbsd-gettimeofday: permit
netbsd-__sigaction_sigtramp: permit
netbsd-fsread: filename eq "/etc/nsswitch.conf" then permit
netbsd-fsread: filename eq "/etc/pwd.db" then permit
netbsd-fsread: filename match "/usr/share/*" then permit
netbsd-fsread: filename match "/<non-existent filename>: /usr/share/*" 
then permit
netbsd-read: permit
netbsd-fsread: filename match "/<non-existent filename>: /usr/lib/*" 
then permit
netbsd-fcntl: permit
netbsd-sendto: permit
netbsd-__getcwd: permit
netbsd-getpid: permit
netbsd-getpgrp: permit
netbsd-pread: permit
netbsd-getpgrp: permit
netbsd-pread: permit
netbsd-getppid: permit
netbsd-dup: permit
netbsd-getrlimit: permit
netbsd-dup2: permit
netbsd-fsread: filename match "/<non-existent filename>: $HOME/*" then 
permit
netbsd-fsread: filename match "/<non-existent filename>: /var/mail/test" 
then permit
netbsd-fsread: filename eq "$HOME/.bash_history" then permit
netbsd-fswrite: filename eq "$HOME/.bash_history" then permit
netbsd-setpgid: permit
netbsd-fsread: filename eq "$HOME/." then permit
netbsd-fsread: filename match "/<non-existent filename>: /usr/bin/*" 
then permit
netbsd-fsread: filename match "/bin/*" then permit
netbsd-fsread: filename match "/<non-existent filename>: /usr/pkg/bin/*" 
then permit
netbsd-fork: permit
netbsd-wait4: permit
netbsd-kill: permit 
netbsd-getgroups: permit
netbsd-execve: true then permit
netbsd-compat_16___sigreturn14: permit
netbsd-fsread: filename eq "/etc/malloc.conf" then permit
netbsd-fchdir: permit
netbsd-fstatvfs1: permit
netbsd-lseek: permit
netbsd-getdents: permit
netbsd-fsread: filename eq "/usr" then permit
netbsd-fsread: filename match "/usr/bin/*" then permit
netbsd-fsread: filename match "/bin/*" then permit
netbsd-fsread: filename match "/usr/pkg/bin/*" then permit
netbsd-fsread: filename match "/usr/local/bin/*" then permit
netbsd-fsread: filename match "$HOME" then permit
netbsd-fwrite: filename match "$HOME" then permit
netbsd-fsread: filename match "/<non-existent filename>: $HOME" then permit
netbsd-fwrite: filename match "/<non-existent filename>: $HOME" then permit
netbsd-setgid: permit
netbsd-umask: permit
netbsd-utimes: permit
netbsd-chdir: filaneme match "$HOME" then permit
netbsd-fsread: filename match "/<non-existent filename>: /lib/*" then permit
netbsd-fsread: filename eq "/etc/group" then permit
netbsd-fsread: filename eq "/tmp" then permit
netbsd-fsread: filename eq "/<non-existent filename>: /etc/vi.exrc" then 
permit
netbsd-fswrite: filename match "/<non-existent filename>: /tmp//bt.*" 
then permit
netbsd-fswrite: filename match "/<non-existent filename>: /tmp/vi.*" 
then permit

Luego,

bash-3.1$ touch asd
touch: asd: Operation not permitted
bash-3.1$

bash-3.1$ vi sucks.txt
ex/vi: Error: Unable to create temporary file: No such file or directory
bash-3.1$

Alguna recomendación ?¿

Saludos.