diff --git a/app.te b/app.te
index 5cef948fea17e864250da4db439414f7a91bd54b..090088f088a3c8a1f51e3b2b4bbea4cda1f80a46 100644
--- a/app.te
+++ b/app.te
@@ -46,7 +46,7 @@ binder_call(appdomain, surfaceflinger)
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.
diff --git a/untrusted_app.te b/untrusted_app.te
index 80f60da604336cfca4da08911968bb36e54c2510..2630f9e146331a1c76df4738d0690df2bc1dda2b 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -15,6 +15,10 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app app_data_file:file rx_file_perms;
+
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
 # Internal SDCard rw access.