The assert.te file contains assertions that are checked after evaluating the entire TE configuration. These assertions can be used to detect errors in the configuration.
A few sample assertions are provided, but a thorough set of assertions has not yet been developed. Some of the sample assertions are that only certain domains can use the sys_module capability and that system software can only be modified by administrators.
An assert_execute macro is defined for generating assertions to verify that certain domains can only execute code from their entry point executable type, the system dynamic loader type, and the system shared library type. This macro is applied to a set of domains that should not require execute access to any other code.