; Name: TOE (Trusted Owner Execution) SELinux module.
; Author: Alexander Miroshnichenko (alexminder)
; e-mail: alexminder@gmail.com
; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
; License: GPL-3
;
(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(typeattribute toe_insecure_type)
(typeattribute toe_exclude_type)
(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(constrain (file (execute))
  (and
    (neq t2 toe_insecure_type)
    (or
      (eq t2 toe_exclude_type)
      (and
        (eq u2 system_u)
        (neq t2 tmpfile)
      )
    )
  )
)