gentoo-overlay/sec-policy/selinux-toe/files/toe.cil

24 lines
850 B
Plaintext

; Name: TOE (Trusted Owner Execution) SELinux module.
; Author: Alexander Miroshnichenko (alexminder)
; e-mail: alexminder@gmail.com
; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
; License: GPL-3
;
(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(typeattribute toe_insecure_type)
(typeattribute toe_exclude_type)
(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
(constrain (file (execute))
(and
(neq t2 toe_insecure_type)
(or
(eq t2 toe_exclude_type)
(and
(eq u2 system_u)
(neq t2 tmpfile)
)
)
)
)