From e0dfbdf15fe409a2ad3c6826a57061340c25f3cd Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 10 Feb 2006 14:21:16 +0000
Subject: [PATCH] fix process object class assertion for hierarchy

---
 refpolicy/policy/modules/kernel/domain.te | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
index 6fad4cb6a..acc626730 100644
--- a/refpolicy/policy/modules/kernel/domain.te
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -63,7 +63,5 @@ attribute cron_job_domain;
 # SELinux identity and role change constraints
 attribute process_uncond_exempt;	# add userhelperdomain to this one
 
-# TODO:
-# cjp: also need to except correctly for SEFramework
-neverallow { domain unlabeled_t } file_type:process *;
+neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
 neverallow ~{ domain unlabeled_t } *:process *;