Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.

For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains).  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.

For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context.  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.

Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>