diff --git a/system_server.te b/system_server.te
index aaa0657a3e94932c77b4cc8f207b2837eac27cb0..bfe5b89b00f49857d9394f27a1b32026feee4dcb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -485,3 +485,9 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;