z/OS 2.2 added support for FSEXEC calls.  You can prevent users from executing any file in a z/OS® File System (zFS) file system or Temporary File System (TFS) by defining a general resource profile in the FSEXEC class. This enables you to use external security commands to restrict z/OS UNIX access to the specified file system for most users while allowing selected users and groups to remain eligible for execute access. 

How do I restrict execute access in a zFS or TFS file system with ACF2?

z/OS 2.2 and above

When a file system is protected by an FSEXEC profile with UACC(NONE), only users and groups with UPDATE access authority or higher are eligible for execute file access. Eligible users are then subject to the usual authorization checking, which includes checking for superuser authority, ownership, permission bits, access control lists (ACLs), and UNIXPRIV authorities.

CA added support to ACF2 with ptf RO91933 (R15.0) / RO91913 (R16.0).  The added CLASMAP from the PTF set the record with a length of 44, mixed case, and a default type code of FSE.  The call that is made is a FASTAUTH call, so you need to add the type code to a resident directory.

TSO ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RFSE) ADD
F ACF2,REFRESH(INFODIR)

As an example, the zFS is called OMVS.ZFS.files.ADMIN.  A sample rule would look like this:

$KEY(OMVS) TYPE(FSE)
 ZFS.files.ADMIN UID(uid string that needs access) SERVICE(UPDATE) ALLOW

After any rules are added or changed, a REBUILD will be required:

F ACF2,REBUILD(FSE)