The grsecurity and apparmor configurations are far from perfect. They started as an experiment.
I know, for this reason I only make a suggestion and as I don't know why did you do somethings in the policy I ask you :-).
Please get realized that I have not said: your policy sucks, it's horrible, stupid and probably there is not a human behind it, instead I only ask the reason for something and adding a probably constructive suggestion.
Why I use /proc/*/fd is because I have no idea what PID Hiawatha will have when grsecurity starts.
And I suppose there is no way to pass variables to the /etc/grsec/policy file is it?, there must be a mechanism to do it, if not grsecurity sucks. If some grsecurity user read this, please get some light in this.
No, de kernel takes care of those basic security things. In this case, grsecurity is more like an extra ring in the security union instead of the only one.
With a cat </proc/$pidofbash/fd/1 you can see what they are typing..., and this is very simple and unusable too, all must be said, why cannot be read the fd 0 of a process as I do before and redirected?, could be a keylogger.