diff --git a/zygote.te b/zygote.te
index c20072de69ff902fd342662b479126fea120bf40..345b6300401ffe40208bbde1413482dd6b682053 100644
--- a/zygote.te
+++ b/zygote.te
@@ -45,7 +45,7 @@ allow zygote tmpfs:filesystem mount;
 allow zygote labeledfs:filesystem remount;
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file { execute_no_trans open };
+allow zygote zygote_exec:file rx_file_perms;
 
 # handle bugreports b/10498304
 allow zygote ashmem_device:chr_file execute;