diff --git a/app.te b/app.te
index 94dcfc5bdd443dd337a25c75b804c9998f36c891..48aebbf0a00cf09661cff0e2bb99063367a4c02c 100644
--- a/app.te
+++ b/app.te
@@ -390,6 +390,7 @@ neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
 neverallow appdomain {
   apk_data_file
   cache_file
+  cache_recovery_file
   dev_type
   rootfs
   system_file
diff --git a/domain.te b/domain.te
index 7b44fb5b19042316e45c3aff9fb9de077e1878a7..98edece31bdf4923d3e6d623fe3434875583d69e 100644
--- a/domain.te
+++ b/domain.te
@@ -258,7 +258,7 @@ neverallow {
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
 
 # Protect most domains from executing arbitrary content from /data.
 neverallow {
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 7be9a3e8c7f9d874cf2792ceea282ee30917fc3a..d9b8d6b8eaec493db8912b537f35c777993855b8 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,9 +49,14 @@ allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:dir r_dir_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read };
+allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
+
+# Likely not needed. auditallow to be sure
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms;
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read };
+auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
 
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };
diff --git a/dumpstate.te b/dumpstate.te
index c3f9192867184ccd1d8cbcce2dbf096a9ace8ac9..633eabcb19e5aadc67a9ec678c9bb49e259cbc38 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -109,6 +109,10 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
 allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
diff --git a/file.te b/file.te
index 701d99107b1c339555f8966cdef4ceedaf84d94c..374ff6bd2ff2d082ec5e4ec00ca82d1902ea8859 100644
--- a/file.te
+++ b/file.te
@@ -145,6 +145,8 @@ type cache_file, file_type, mlstrustedobject;
 # Type for /cache/.*\.{data|restore} and default
 # type for anything under /cache/backup
 type cache_backup_file, file_type, mlstrustedobject;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
diff --git a/file_contexts b/file_contexts
index 0201a6d5748286765feff401ba6a6061af10fdba..a1fa8042ee1ed0ce0ccd891692358df5bf9a642e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -317,6 +317,7 @@
 /cache/.*\.restore	u:object_r:cache_backup_file:s0
 # LocalTransport (backup) uses this directory
 /cache/backup(/.*)?	u:object_r:cache_backup_file:s0
+/cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
 #############################
 # sysfs files
 #
diff --git a/install_recovery.te b/install_recovery.te
index b11ff7497a4c7362522212aa2c4f1925aa10e502..1c47236ea93f19ea705ff1c1590367578cdb04f9 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -21,8 +21,11 @@ allow install_recovery boot_block_device:blk_file r_file_perms;
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
+allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
+allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
+auditallow install_recovery cache_recovery_file:file create_file_perms;
 
 # Write to /proc/sys/vm/drop_caches
 allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/platform_app.te b/platform_app.te
index 117b16f35e2787f056c79772222dcdd6ee35f6ae..038128805ef0a1fcff1ed5f9097f35d904cef5c6 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -25,8 +25,12 @@ allow platform_app media_rw_data_file:dir create_dir_perms;
 allow platform_app media_rw_data_file:file create_file_perms;
 
 # Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
+allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow platform_app { cache_file cache_recovery_file }:file create_file_perms;
+
+# Likely not needed
+auditallow platform_app cache_recovery_file:dir create_dir_perms;
+auditallow platform_app cache_recovery_file:file create_file_perms;
 
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer
diff --git a/priv_app.te b/priv_app.te
index 59b4ea0ca24f10d9031e4c679a4d522ad34a6da5..70990447553193e479fd65014169424ecaaec103 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -33,8 +33,11 @@ allow priv_app persistent_data_block_service:service_manager find;
 allow priv_app mnt_media_rw_file:dir search;
 
 # Write to /cache.
-allow priv_app cache_file:dir create_dir_perms;
-allow priv_app cache_file:file create_file_perms;
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow priv_app cache_recovery_file:dir create_dir_perms;
+auditallow priv_app cache_recovery_file:file create_file_perms;
 
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;
diff --git a/recovery.te b/recovery.te
index b4eb2851222d4a1136fe56cd3d5e3b730ebada11..d2cc90ea2fc538d1e4817d8ae575fdd765334299 100644
--- a/recovery.te
+++ b/recovery.te
@@ -73,9 +73,9 @@ recovery_only(`
   allow recovery tmpfs:file { create_file_perms x_file_perms };
   allow recovery tmpfs:dir create_dir_perms;
 
-  # Manage files on /cache
-  allow recovery cache_file:dir create_dir_perms;
-  allow recovery cache_file:file create_file_perms;
+  # Manage files on /cache and /cache/recovery
+  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
 
   # Read files on /oem.
   r_dir_file(recovery, oemfs);
diff --git a/system_server.te b/system_server.te
index bc861e77a8f3dc7e0893b52ced9a0d7f278d8f5f..97eb41584ac737ce2bea419e8c1fb71c6a412aa4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -308,9 +308,9 @@ type_transition system_server system_data_file:sock_file system_ndebug_socket "n
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 # Manage cache files.
-allow system_server cache_file:dir { relabelfrom create_dir_perms };
-allow system_server cache_file:file { relabelfrom create_file_perms };
-allow system_server cache_file:fifo_file create_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
diff --git a/uncrypt.te b/uncrypt.te
index 7608538c3c2899ce822d978998eb89bd17da29ad..354bda0043088e6c2fccde552b8f2a152c29c7e6 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -17,9 +17,9 @@ userdebug_or_eng(`
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
 # Write to pipe file /cache/recovery/uncrypt_status
-allow uncrypt cache_file:dir rw_dir_perms;
-allow uncrypt cache_file:file create_file_perms;
-allow uncrypt cache_file:fifo_file w_file_perms;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+allow uncrypt cache_recovery_file:fifo_file w_file_perms;
 
 # Set a property to reboot the device.
 set_prop(uncrypt, powerctl_prop)
diff --git a/untrusted_app.te b/untrusted_app.te
index 12a629de8098f4049bbdb061de6675aab5695b3a..204335aae87b73033838c26af30936c1805b1cf0 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -147,5 +147,5 @@ neverallow untrusted_app file_type:file link;
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
 # Do not allow untrusted_app access to /cache
-neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
-neverallow untrusted_app cache_file:file ~{ read getattr };
+neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };