diff --git a/global_macros b/global_macros
index 62d59345fdc8ccd60fb9ada6b3cfd239353fdd6e..8d72868637d4a70db817eea2c7e81ccc1f8e66b2 100644
--- a/global_macros
+++ b/global_macros
@@ -25,14 +25,13 @@ define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')
 define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`link_file_perms', `{ getattr link unlink rename }')
-define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
 
 define(`r_dir_perms', `{ open getattr read search ioctl }')
 define(`w_dir_perms', `{ open search write add_name remove_name }')
 define(`ra_dir_perms', `{ r_dir_perms add_name write }')
 define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
 
 define(`r_ipc_perms', `{ getattr read associate unix_read }')
 define(`w_ipc_perms', `{ write unix_write }')
diff --git a/untrusted_app.te b/untrusted_app.te
index d88414c6bc774c08ef3455540109ff740c8afc4a..f7ebdcbb8abe984b6ea522411a21c5f42f00e0f2 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -176,3 +176,11 @@ neverallow untrusted_app property_type:property_service set;
 # never be granted to any other domain within mlstrustedsubject)
 # and untrusted_app is allowed fork permission to itself.
 neverallow untrusted_app mlstrustedsubject:process fork;
+
+# Do not allow untrusted_app to hard link to any files.
+# In particular, if untrusted_app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted_app never has this
+# capability.
+neverallow untrusted_app file_type:file link;