diff --git a/domain.te b/domain.te
index a67e77abe60d7584edd1b65b4f3e045c628e86fa..8fb020b9801d0fbd80b5a85f1e9a3a0dd481f77b 100644
--- a/domain.te
+++ b/domain.te
@@ -358,6 +358,14 @@ neverallow {
   -dex2oat
 } dalvikcache_data_file:file no_w_file_perms;
 
+neverallow {
+  domain
+  -init
+  -installd
+  -dex2oat
+  -zygote
+} dalvikcache_data_file:dir no_w_dir_perms;
+
 # Only system_server should be able to send commands via the zygote socket
 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
 neverallow { domain -system_server } zygote_socket:sock_file write;