Not a perfect solution, but you could mount as noexec by default and 
whenever you want to install packages you can do a quick

mount -o remount,exec /tmp

before and another
  
mount -o remount /tmp

afterwards.