diff --git a/domain.te b/domain.te
index b13ad75f8a91368b34e40265779832bc8c61df57..6d755a75c39350a6b7a8d799171898d0c5ab6911 100644
--- a/domain.te
+++ b/domain.te
@@ -147,6 +147,9 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 ### neverallow rules
 ###
 
+neverallow domain self:capability2 mac_override;
+neverallow { domain -recovery } self:capability2 mac_admin;
+
 # Only init should be able to load SELinux policies.
 # The first load technically occurs while still in the kernel domain,
 # but this does not trigger a denial since there is no policy yet.
diff --git a/recovery.te b/recovery.te
index eb2a2b0aec01d0865d5c730d3b1b36039e3f61a1..abcf0cfd4251813f286f95e7173bfe6739ad2e64 100644
--- a/recovery.te
+++ b/recovery.te
@@ -4,6 +4,8 @@ allow recovery rootfs:file entrypoint;
 unconfined_domain(recovery)
 relabelto_domain(recovery)
 
+allow recovery self:capability2 mac_admin;
+
 allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;
 
diff --git a/unconfined.te b/unconfined.te
index 9facc2e181568d272029f0f783c72ddf3665a4a3..8d424f3eef2f10f14d2619774fea5763c9ee0b27 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,8 @@
 # The use of this template is discouraged.
 ######################################################
 
-allow unconfineddomain self:capability_class_set *;
+allow unconfineddomain self:capability *;
+allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };