diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index b3f6bad..1da9add 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -34,7 +34,7 @@ type rpm_script_exec_t;
domain_obj_id_change_exempt(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
domain_type(rpm_script_t)
-domain_entry_file(rpm_t,rpm_script_t)
+domain_entry_file(rpm_t,rpm_script_exec_t)
domain_wide_inherit_fd(rpm_script_t)
role system_r types rpm_script_t;
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index b18b441..181effd 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -43,8 +43,8 @@ interface(`term_user_pty',`
attribute server_ptynode;
')
- term_pty($1)
- type_change $1 server_ptynode:chr_file $2;
+ term_pty($2)
+ type_change $2 server_ptynode:chr_file $1;
')
########################################
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index cb3306d..6891c30 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -15,9 +15,14 @@ attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_change_object_identity;
+# Transitions only allowed from domains to other domains
neverallow domain ~domain:process { transition dyntransition };
# enabling setcurrent breaks process tranquility. If you do not
# know what this means or do not understand the implications of a
# dynamic transition, you should not be using it!!!
neverallow * *:process setcurrent;
+
+# Files with domain types are currently only proc files
+neverallow * domain:dir ~r_dir_perms;
+neverallow * domain:file_class_set ~rw_file_perms;
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 58b587e..2cd42f0 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -109,10 +109,7 @@ interface(`libs_legacy_use_ld_so',`
##
## Execute the dynamic link/loader in the caller's
## domain. This is commonly needed for the
-## /usr/bin/ldd program. Note: this can be used
-## to execute any binary that the caller can
-## read, even if the caller does not have execute
-## permissions.
+## /usr/bin/ldd program.
##
##
## The type of the process performing this action.
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index feaf158..9dc0e2b 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -9,7 +9,7 @@ policy_module(logging,1.0)
attribute logfile;
type auditd_log_t;
-logging_log_file(auditd_t,auditd_log_t)
+logging_log_file(auditd_log_t)
type auditd_t;
type auditd_exec_t;