diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index ad84af9be1631c1df373475d33e1d7a3c8f390a9..f5231fbb3f975b8e8bff79956590e7157d99e4d7 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -7,6 +7,7 @@ auditallow {
   domain_deprecated
   -appdomain
   -installd
+  -recovery
   -sdcardd
   -surfaceflinger
   -system_server
@@ -25,6 +26,7 @@ auditallow {
   -fsck
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -36,6 +38,7 @@ auditallow {
   domain_deprecated
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -48,6 +51,7 @@ auditallow {
   -appdomain
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -138,17 +142,20 @@ allow domain_deprecated cache_file:lnk_file r_file_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
+  -recovery
   -system_server
   -vold
 } cache_file:dir { open read search ioctl lock };
 auditallow {
   domain_deprecated
   -appdomain
+  -recovery
   -system_server
   -vold
 } cache_file:dir getattr;
 auditallow {
   domain_deprecated
+  -recovery
   -system_server
   -vold
 } cache_file:file { getattr read };
@@ -190,6 +197,7 @@ auditallow {
   -healthd
   -netd
   -rild
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
@@ -203,6 +211,7 @@ auditallow {
   -healthd
   -netd
   -rild
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
@@ -216,6 +225,7 @@ auditallow {
   -healthd
   -netd
   -rild
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
diff --git a/public/recovery.te b/public/recovery.te
index 0f47be7050d7a616afdfae678dd642aa83ecd2fb..fe02a08109d7082367022db440fb32355362d2af 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@ recovery_only(`
   allow recovery self:capability2 mac_admin;
 
   # Run helpers from / or /system without changing domain.
+  r_dir_file(recovery, rootfs)
   allow recovery rootfs:file execute_no_trans;
   allow recovery system_file:file execute_no_trans;
   allow recovery toolbox_exec:file rx_file_perms;
@@ -51,6 +52,7 @@ recovery_only(`
 
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
+  r_dir_file(recovery, sysfs)
   allow recovery sysfs:file w_file_perms;
 
   # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.