systrace (interactive policy generation for system calls) Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm, allowing an user to refine the currently configured policy. By default, this build includes a GTK+ GUI frontend (gtk-systrace), which will be started by systrace as needed. To build without the GUI (e.g. for use on headless servers), set GUI=no in the script's environment. In this case, you'll have to run systrace with the -t option to prevent it trying to start the nonexistant GUI.