Index: policy/modules/kernel/domain.te
===================================================================
--- policy/modules/kernel/domain.te	(revision 1472)
+++ policy/modules/kernel/domain.te	(working copy)
@@ -63,7 +63,5 @@
 # SELinux identity and role change constraints
 attribute process_uncond_exempt;	# add userhelperdomain to this one
 
-# TODO:
-# cjp: also need to except correctly for SEFramework
-neverallow { domain unlabeled_t } file_type:process *;
+neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
 neverallow ~{ domain unlabeled_t } *:process *;