24 lines
850 B
Plaintext
24 lines
850 B
Plaintext
; Name: TOE (Trusted Owner Execution) SELinux module.
|
|
; Author: Alexander Miroshnichenko (alexminder)
|
|
; e-mail: alexminder@gmail.com
|
|
; Purpose: Prevent users to execute untrusted their (non system_u context) or tmp files.
|
|
; License: GPL-3
|
|
;
|
|
(typeattributeset cil_gen_require (user_home_t git_user_content_t portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
|
|
(typeattribute toe_insecure_type)
|
|
(typeattribute toe_exclude_type)
|
|
(typeattributeset toe_insecure_type (user_home_t git_user_content_t))
|
|
(typeattributeset toe_exclude_type (portage_tmp_t initrc_tmp_t gcc_config_tmp_t semanage_tmp_t portage_fetch_tmp_t virt_tmp_t))
|
|
(constrain (file (execute))
|
|
(and
|
|
(neq t2 toe_insecure_type)
|
|
(or
|
|
(eq t2 toe_exclude_type)
|
|
(and
|
|
(eq u2 system_u)
|
|
(neq t2 tmpfile)
|
|
)
|
|
)
|
|
)
|
|
)
|