diff --git a/domain.te b/domain.te
index 9f5ea9b6fe59462a1f171f157b7c3aef6c18cdf6..bd8ff25a93439ba5f41020f82f5d3cfbb85eaec4 100644
--- a/domain.te
+++ b/domain.te
@@ -163,7 +163,7 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 ###
 
 # Do not allow any confined domain to create new unlabeled files.
-neverallow { domain -unconfineddomain } unlabeled:dir_file_class_set create;
+neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.