gentoo-overlay/sec-policy/selinux-toe/files/toe.cil

; Name: TOE (Trusted Owner Execution) SELinux module.
; Author: Alexander Miroshnichenko (alexminder)
; e-mail: alexminder@gmail.com
; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
; License: GPL-3
;
(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(typeattribute toe_insecure_type)
(typeattribute toe_exclude_type)
(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(constrain (file (execute))
  (and
    (neq t2 toe_insecure_type)
    (or
      (eq t2 toe_exclude_type)
      (and
        (eq u2 system_u)
        (neq t2 tmpfile)
      )
    )
  )
)
add content 2019-05-08 14:53:59 +03:00			`; Name: TOE (Trusted Owner Execution) SELinux module.`
			`; Author: Alexander Miroshnichenko (alexminder)`
			`; e-mail: alexminder@gmail.com`
			`; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.`
			`; License: GPL-3`
			`;`
			`(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))`
			`(typeattribute toe_insecure_type)`
			`(typeattribute toe_exclude_type)`
			`(typeattributeset toe_insecure_type (user_home_t git_user_content_t))`
			`(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))`
			`(constrain (file (execute))`
			`(and`
			`(neq t2 toe_insecure_type)`
			`(or`
			`(eq t2 toe_exclude_type)`
			`(and`
			`(eq u2 system_u)`
			`(neq t2 tmpfile)`
			`)`
			`)`
			`)`
			`)`