diff --git a/private/system_server.te b/private/system_server.te
index 44b3b0c28b204e23a67d980a90affaca0f5f34c1..35106866145141f65d7c5bb993e03588b37624a6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -758,11 +758,8 @@ neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
 # system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
-  data_file_type
-  -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
+# in /data
+neverallow system_server data_file_type:file no_x_file_perms;
 
 # The only block device system_server should be accessing is
 # the frp_block_device. This helps avoid a system_server to root