1) Given the amount of resources, I think it's practical to do this
only for NetBSD for now.

2) I think the setup should be similar to the rc.d scripts:
installation to ${LOCALBASE}/share/systrace unless
PKG_SYSTRACE_POLICIES is set, and then they are installed to
SYSTRACE_POLICIES_DIR, which defaults to ${PKG_SYSCONFBASE}/systrace.
This way users which eventually want to place them on a read-only
filesystem can do so at their convenience, or they can be installed
auto-magically, etc.

3) I think that until they've received a lot of testing, it should be
part of the options framework.  Therefore systrace policies could be
enabled on a per-package basis or globally (PKG_OPTION_DEFAULT vs.
PKG_OPTIONS.pkgname).

--Blair

-- 
Support WFMU-FM: free-form radio for the masses!

<http://www.wfmu.org/>
91.1 FM Jersey City, NJ
90.1 FM Mt. Hope, NY

"The Reggae Schoolroom":
<http://www.wfmu.org/playlists/RS/>