diff --git a/domain.te b/domain.te
index 2400a8cad8e6d3e982d591dc60c5d982449c61ff..2b1028ee0d861b0d1f172d3134204b5f2fe52ca7 100644
--- a/domain.te
+++ b/domain.te
@@ -288,10 +288,10 @@ neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_
 
 # Only the init property service should write to /data/property and /dev/__properties__
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file no_w_file_perms;
-neverallow { domain -init } property_type:file no_w_file_perms;
-neverallow { domain -init } properties_device:file no_w_file_perms;
-neverallow { domain -init } properties_serial:file no_w_file_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set