diff --git a/system_server.te b/system_server.te
index 152ece1d109c4445a739a6b133e2174beee43397..f48fd2cb0acfa575f97b462d7376610e404b71ec 100644
--- a/system_server.te
+++ b/system_server.te
@@ -236,11 +236,6 @@ allow system_server fscklogs:file unlink;
 # For SELinuxPolicyInstallReceiver
 selinux_manage_policy(system_server)
 
-# For legacy unlabeled userdata on existing devices.
-# See discussion of Unlabeled files in domain.te for more information.
-# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
-allow system_server unlabeled:file execute;
-
 # logd access, system_server inherit logd write socket
 # (urge is to deprecate this long term)
 allow system_server zygote:unix_dgram_socket write;
diff --git a/zygote.te b/zygote.te
index b6a527c140b17ed46fbd13910c0a714f86205dcb..c20072de69ff902fd342662b479126fea120bf40 100644
--- a/zygote.te
+++ b/zygote.te
@@ -52,8 +52,3 @@ allow zygote ashmem_device:chr_file execute;
 allow zygote shell_data_file:file { write getattr };
 allow zygote system_server:binder { transfer call };
 allow zygote servicemanager:binder { call };
-
-# For legacy unlabeled userdata on existing devices.
-# See discussion of Unlabeled files in domain.te for more information.
-# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
-allow zygote unlabeled:file execute;