diff --git a/app.te b/app.te
index 0049fe47d3545723af0b84ba6a39c5c699722c2c..eadf5390b39f71fece278c96b819cbcc75d14d49 100644
--- a/app.te
+++ b/app.te
@@ -51,7 +51,7 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute execute_no_trans open };
+allow appdomain system_data_file:file { execute execute_no_trans open execmod };
 
 # Access to OEM provided data and apps
 allow appdomain oemfs:dir r_dir_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index b7a2cef6c295d2c6c261e56613407689fb79d52d..50a02da689fc988e98b6197f00aafe693c6764c3 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -27,7 +27,7 @@ bluetooth_domain(untrusted_app)
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file rx_file_perms;
+allow untrusted_app app_data_file:file { rx_file_perms execmod };
 
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
@@ -35,7 +35,7 @@ allow untrusted_app tun_device:chr_file rw_file_perms;
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
 # Execute libs in asec containers.
-allow untrusted_app asec_public_file:file execute;
+allow untrusted_app asec_public_file:file { execute execmod };
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm