diff --git a/domain.te b/domain.te
index 6321237826777a1bbd6f5d03a7ef010154e5084c..12aa89888c9d30d9d5a1d8816431f17485d947c6 100644
--- a/domain.te
+++ b/domain.te
@@ -138,3 +138,6 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 
 # Only init should be able to load SELinux policies
 neverallow { domain -init } kernel:security load_policy;
+
+# Ensure that all entrypoint executables are in exec_type.
+neverallow domain { file_type -exec_type }:file entrypoint;
diff --git a/ping.te b/ping.te
index 3c6254a3de581bfd133ae8237d3e42063a3046e5..19f3a4741baeabdeefa03e2ec598d5f47d640224 100644
--- a/ping.te
+++ b/ping.te
@@ -1,5 +1,5 @@
 type ping, domain;
 permissive ping;
-type ping_exec, file_type;
+type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
 unconfined_domain(ping)
diff --git a/runas.te b/runas.te
index 50295a9b953bf120ec819bc190983fd6e21f62b0..ec5e1c4b6aa34d6d935acbd46651cab83de93cf6 100644
--- a/runas.te
+++ b/runas.te
@@ -1,5 +1,5 @@
 type runas, domain;
-type runas_exec, file_type;
+type runas_exec, exec_type, file_type;
 permissive runas;
 unconfined_domain(runas)
 
diff --git a/shell.te b/shell.te
index 89bc9becbac389d1661f433751341690b9c23c08..8b51003dfe90c2867af25cdcfdbb03ddf4ee525a 100644
--- a/shell.te
+++ b/shell.te
@@ -1,6 +1,6 @@
 # Domain for shell processes spawned by ADB
 type shell, domain;
-type shell_exec, file_type;
+type shell_exec, exec_type, file_type;
 unconfined_domain(shell)
 
 # Run app_process.
diff --git a/su.te b/su.te
index ca9fcc23701eaedcf9ce8a157bf9a54df1cd70b9..c1f002f86b54b47470430d2464ecb7fec87d458d 100644
--- a/su.te
+++ b/su.te
@@ -1,6 +1,6 @@
 type su, domain;
 permissive su;
-type su_exec, file_type;
+type su_exec, exec_type, file_type;
 domain_auto_trans(shell, su_exec, su)
 
 # su is unconfined.
diff --git a/su_user.te b/su_user.te
index 77fc535c9a342230b5fec13cbb335d1382c7fc02..6f936a0810bcd73ab39784e4cdc326e84c633798 100644
--- a/su_user.te
+++ b/su_user.te
@@ -1,4 +1,4 @@
 # File types must be defined for file_contexts.
-type su_exec, file_type;
+type su_exec, exec_type, file_type;
 
 # No allow rules