diff --git a/domain.te b/domain.te
index 44612414fc75f5f65732626de02050b9caf7d4d9..4d115fd2987acca806261b2911e700ae97952aaf 100644
--- a/domain.te
+++ b/domain.te
@@ -401,3 +401,11 @@ neverallow domain {
 # neverallow { domain -appdomain } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
diff --git a/zygote.te b/zygote.te
index d2f629ce5e9cebf82c074d8ac76ac5b8ca81974c..0dba9b6193e6a0882150107c2cd37a1f46f7fcb8 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,3 +64,15 @@ allow zygote storage_file:dir { search mounton };
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server.
+neverallow zygote ~{ appdomain system_server }:process dyntransition;