diff --git a/domain.te b/domain.te
index 7d24d0db3bcfee1701555ee93d41a9702ba3e179..47181f6aeb25ed3e3f9c140307aa388a1be9eb1e 100644
--- a/domain.te
+++ b/domain.te
@@ -201,8 +201,8 @@ neverallow { domain -init } kernel:security setsecparam;
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
 
-# Ensure that all entrypoint executables are in exec_type.
-neverallow * { file_type -exec_type }:file entrypoint;
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
diff --git a/file.te b/file.te
index 98bc8ed4acee5e452a9c2210c8d220b8637cc9cd..a04df934e6448726720e5d28ce1e9b7354e573d9 100644
--- a/file.te
+++ b/file.te
@@ -124,7 +124,7 @@ type storage_stub_file, file_type;
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type, exec_type;
+type postinstall_file, file_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
diff --git a/postinstall.te b/postinstall.te
index 8afc56128dd7acf783f2b9c5f3c247d52e6ee92e..938fcd23f6065b10a6c73b8adb8888280001a2b1 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -18,3 +18,7 @@ allow postinstall postinstall_file:dir r_dir_perms;
 allow postinstall shell_exec:file rx_file_perms;
 allow postinstall system_file:file rx_file_perms;
 allow postinstall toolbox_exec:file rx_file_perms;
+
+# No domain other than update_engine should transition to postinstall, as it is
+# only meant to run during the update.
+neverallow { domain -update_engine } postinstall:process { transition dyntransition };