add content

sec-policy/selinux-toe/files/toe.cil

@@ -0,0 +1,23 @@
+; Name: TOE (Trusted Owner Execution) SELinux module.
+; Author: Alexander Miroshnichenko (alexminder)
+; e-mail: alexminder@gmail.com
+; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
+; License: GPL-3
+;
+(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
+(typeattribute toe_insecure_type)
+(typeattribute toe_exclude_type)
+(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
+(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
+(constrain (file (execute))
+  (and
+    (neq t2 toe_insecure_type)
+    (or
+      (eq t2 toe_exclude_type)
+      (and
+        (eq u2 system_u)
+        (neq t2 tmpfile)
+      )
+    )
+  )
+)