diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index ec478d1596b7ac82080c923fc90a7c6d97f64a28..19358dee65000f4ad16252b814d14e252ff9f484 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -7,6 +7,7 @@ auditallow {
   domain_deprecated
   -appdomain
   -installd
+  -recovery
   -sdcardd
   -surfaceflinger
   -system_server
@@ -25,6 +26,7 @@ auditallow {
   -fsck
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -36,6 +38,7 @@ auditallow {
   domain_deprecated
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -48,6 +51,7 @@ auditallow {
   -appdomain
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -128,17 +132,20 @@ allow domain_deprecated cache_file:lnk_file r_file_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
+  -recovery
   -system_server
   -vold
 } cache_file:dir { open read search ioctl lock };
 auditallow {
   domain_deprecated
   -appdomain
+  -recovery
   -system_server
   -vold
 } cache_file:dir getattr;
 auditallow {
   domain_deprecated
+  -recovery
   -system_server
   -vold
 } cache_file:file { getattr read };
@@ -177,6 +184,7 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
@@ -189,6 +197,7 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
@@ -201,6 +210,7 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
diff --git a/public/recovery.te b/public/recovery.te
index 6e211ac0ec997a60c95544d36f61f631b41d05e1..e072cfce1bebe60d642c5e8c5ff524bb8e800ae6 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@ recovery_only(`
   allow recovery self:capability2 mac_admin;
 
   # Run helpers from / or /system without changing domain.
+  r_dir_file(recovery, rootfs)
   allow recovery rootfs:file execute_no_trans;
   allow recovery system_file:file execute_no_trans;
   allow recovery toolbox_exec:file rx_file_perms;
@@ -56,6 +57,7 @@ recovery_only(`
 
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
+  r_dir_file(recovery, sysfs)
   allow recovery sysfs:file w_file_perms;
 
   # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.