diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index b3f6bad..1da9add 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -34,7 +34,7 @@ type rpm_script_exec_t;
 domain_obj_id_change_exempt(rpm_script_t)
 corecmd_shell_entry_type(rpm_script_t)
 domain_type(rpm_script_t)
-domain_entry_file(rpm_t,rpm_script_t)
+domain_entry_file(rpm_t,rpm_script_exec_t)
 domain_wide_inherit_fd(rpm_script_t)
 role system_r types rpm_script_t;
 
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index b18b441..181effd 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -43,8 +43,8 @@ interface(`term_user_pty',`
 		attribute server_ptynode;
 	')
 
-	term_pty($1)
-	type_change $1 server_ptynode:chr_file $2;
+	term_pty($2)
+	type_change $2 server_ptynode:chr_file $1;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index cb3306d..6891c30 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -15,9 +15,14 @@ attribute can_change_process_identity;
 attribute can_change_process_role;
 attribute can_change_object_identity;
 
+# Transitions only allowed from domains to other domains
 neverallow domain ~domain:process { transition dyntransition };
 
 # enabling setcurrent breaks process tranquility.  If you do not
 # know what this means or do not understand the implications of a
 # dynamic transition, you should not be using it!!!
 neverallow * *:process setcurrent;
+
+# Files with domain types are currently only proc files
+neverallow * domain:dir ~r_dir_perms;
+neverallow * domain:file_class_set ~rw_file_perms;
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 58b587e..2cd42f0 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -109,10 +109,7 @@ interface(`libs_legacy_use_ld_so',`
 ##	<description>
 ##		Execute the dynamic link/loader in the caller's
 ##		domain.  This is commonly needed for the
-##		/usr/bin/ldd program.  Note: this can be used
-##		to execute any binary that the caller can
-##		read, even if the caller does not have execute
-##		permissions.
+##		/usr/bin/ldd program.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index feaf158..9dc0e2b 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -9,7 +9,7 @@ policy_module(logging,1.0)
 attribute logfile;
 
 type auditd_log_t;
-logging_log_file(auditd_t,auditd_log_t)
+logging_log_file(auditd_log_t)
 
 type auditd_t;
 type auditd_exec_t;