diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 80135b7..4106bdd 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -26,6 +26,14 @@ interface(`domain_base_domain_type',`
 
 	# allow $1 to create child processes in this domain
 	allow $1 self:process { fork sigchld };
+
+	# Files with domain types are currently only proc files
+	# self is excepted since domains and files can have
+	# the same type in SEFramework
+	# cjp: perhaps this should be a conditional exception,
+	# so it is excepted only on SEFramework policies
+	neverallow $1 { domain -$1 }:dir ~r_dir_perms;
+	neverallow $1 { domain -$1 }:file_class_set ~rw_file_perms;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index cd9b41e..2878652 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -32,6 +32,7 @@ neverallow domain ~domain:process { transition dyntransition };
 # dynamic transition, you should not be using it!!!
 neverallow { domain -set_curr_context } self:process setcurrent;
 
-# Files with domain types are currently only proc files
-neverallow * domain:dir ~r_dir_perms;
-neverallow * domain:file_class_set ~rw_file_perms;
+# TODO:
+# cjp: also need to except correctly for SEFramework
+#neverallow { domain unlabeled_t } file_type:process *;
+#neverallow ~{ domain unlabeled_t } *:process *;