diff --git a/domain.te b/domain.te
index 2ed20bb506dd64516a622cf1a6f1ea53f7638c13..ba4c65ac007da55a511d7446207f055a5c4262f0 100644
--- a/domain.te
+++ b/domain.te
@@ -263,7 +263,7 @@ neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_ty
 
 #
 # Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
 #
 neverallow {
     domain
@@ -274,6 +274,11 @@ neverallow {
     -system_server
     -zygote
 } { file_type -system_file -exec_type }:file execute;
+neverallow {
+    domain
+    -appdomain # for oemfs
+    -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
 
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };