diff --git a/app.te b/app.te
index aaf811a682d8a99a50aed5178f9e6bdd3f9734aa..fd16764aaa0e7b2762de4c3217e6236dcd856804 100644
--- a/app.te
+++ b/app.te
@@ -30,7 +30,7 @@ binder_call(appdomain, surfaceflinger)
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
 
 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.