diff --git a/dex2oat.te b/dex2oat.te
index 4252b88faa5ae94d718b1ead961292dd7d8b13dd..df3cc424543913a41c1428371e1b0a8ed27113b1 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -27,9 +27,9 @@ allow dex2oat otapreopt:fd use;
 allow dex2oat ota_data_file:dir ra_dir_perms;
 allow dex2oat ota_data_file:file r_file_perms;
 
-# Read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images, where
-# the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file read;
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
 
 # It would be nice to tie this down, but currently, because of how images are written, we can't
 # pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
diff --git a/zygote.te b/zygote.te
index 22558048a66e2d50e12714ef265fd475432d9ad2..013d8c6aa96873368cdfd5e2bd178cdea88de8cb 100644
--- a/zygote.te
+++ b/zygote.te
@@ -96,11 +96,14 @@ r_dir_file(zygote, ota_data_file)
 allow zygote ota_data_file:dir { rw_dir_perms rename reparent };
 
 # And needs to relabel the entries, so as to have the dalvikcache_data_file label.
-allow zygote ota_data_file:{ dir file } relabelfrom;
-allow zygote dalvikcache_data_file:{ dir file } relabelto;
+allow zygote ota_data_file:{ dir file lnk_file } relabelfrom;
+allow zygote dalvikcache_data_file:{ dir file lnk_file } relabelto;
 
 # The zygote also cleans up the now-empty dalvik-cache directory after an OTA.
+# In case something goes wrong in relabelling, we also need to be able to delete the files that
+# have already been moved.
 allow zygote ota_data_file:dir rmdir;
+allow zygote ota_data_file:{ file lnk_file } unlink;
 
 ###
 ### neverallow rules