diff --git a/app.te b/app.te
index 7d4acfb706163baf30ec4b054a42967ebdbe1f23..00af7e76dc9f558c95e37f331d86c246dc796728 100644
--- a/app.te
+++ b/app.te
@@ -158,6 +158,10 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
 
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+allow appdomain unlabeled:file x_file_perms;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/domain.te b/domain.te
index 653a5077690ed57e172752f7e02a77c8d0f8ba91..103d690b08e24d5c3afcc5ca8789e8cba7570080 100644
--- a/domain.te
+++ b/domain.te
@@ -129,9 +129,8 @@ allow domain security_file:file getattr;
 # capability, it's essentially useless. This is needed to allow an app with
 # relabelto to relabel unlabeled files.
 #
-allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
-allow domain unlabeled:lnk_file { create_file_perms };
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 
 ###
diff --git a/system_server.te b/system_server.te
index 37d4cc632252020e8db915b18c60cc8a1cd3cf0b..22d739bd268e78f421bca0f050499e68f20e1907 100644
--- a/system_server.te
+++ b/system_server.te
@@ -239,3 +239,8 @@ allow system_server fscklogs:file unlink;
 
 # For SELinuxPolicyInstallReceiver
 selinux_manage_policy(system_server)
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow system_server unlabeled:file execute;
diff --git a/zygote.te b/zygote.te
index 9092457e42a7bac9937f60daa7f878dba0762014..daa9782647b5e7dab74700187ef451184e5eef6b 100644
--- a/zygote.te
+++ b/zygote.te
@@ -50,3 +50,8 @@ allow zygote ashmem_device:chr_file execute;
 allow zygote shell_data_file:file { write getattr };
 allow zygote system_server:binder { transfer call };
 allow zygote servicemanager:binder { call };
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow zygote unlabeled:file execute;