diff --git a/domain.te b/domain.te
index eebe1a5c71ec69482fa5933e1f1c73053b00cf3c..e2779726719709ac69ae5ccdbdca93363de690f5 100644
--- a/domain.te
+++ b/domain.te
@@ -250,3 +250,7 @@ neverallow {
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
 neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
+
+# Only recovery should be doing writes to /system
+neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/init.te b/init.te
index f0c6ac6d9646c28c2c4fd6d31c705f24df54b371..f0e11f6390400e05e18ca96a78740765d951ae11 100644
--- a/init.te
+++ b/init.te
@@ -10,7 +10,8 @@ allow init self:capability { sys_rawio mknod };
 
 allow init dev_type:blk_file rw_file_perms;
 allow init fs_type:filesystem *;
-allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow init {fs_type dev_type}:dir_file_class_set relabelto;
+allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
 allow init kernel:system syslog_mod;
 allow init usermodehelper:file rw_file_perms;
diff --git a/kernel.te b/kernel.te
index f2405e4fdfd969a28a5f0c2c40ffd4f2eb547aba..b09c106483f7fc4f487beb17c2a432f5a7f3ff16 100644
--- a/kernel.te
+++ b/kernel.te
@@ -8,7 +8,8 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)
 
-allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow kernel {fs_type dev_type}:dir_file_class_set relabelto;
+allow kernel {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;
 allow kernel fs_type:filesystem *;
 
diff --git a/recovery.te b/recovery.te
index c1329833af386530d9184861ef16df998124571c..811623e62d724fc07a94c42e57819734bde099be 100644
--- a/recovery.te
+++ b/recovery.te
@@ -5,10 +5,14 @@ unconfined_domain(recovery)
 
 allow recovery self:capability2 mac_admin;
 
-allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
+allow recovery {dev_type -kmem_device}:dir_file_class_set relabelto;
+allow recovery {fs_type file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;
 allow recovery fs_type:filesystem *;
 
+allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
+allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
+
 # Required to e.g. wipe userdata/cache.
 allow recovery dev_type:blk_file rw_file_perms;
 
diff --git a/unconfined.te b/unconfined.te
index 2302279b9b35b13ed3145c9a19e7e318d4fcbdb3..ecfe61574ae9450d4f1923c9faceb5ed36888eb3 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -28,10 +28,14 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type file_type -keystore_data_file -property_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
+allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
+allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;