diff --git a/domain.te b/domain.te
index bd8ff25a93439ba5f41020f82f5d3cfbb85eaec4..0028a17a8c59d20fdde3321f77ba0758593e9a59 100644
--- a/domain.te
+++ b/domain.te
@@ -243,7 +243,7 @@ neverallow domain init:binder call;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/file_contexts b/file_contexts
index 7db698fa8a5be7a766111eaad3ff1dba49854f0f..5cc65972ee6da4199a085e8be984f218883446ed 100644
--- a/file_contexts
+++ b/file_contexts
@@ -159,6 +159,8 @@
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
+/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+
 #############################
 # Vendor files
 #
diff --git a/install_recovery.te b/install_recovery.te
new file mode 100644
index 0000000000000000000000000000000000000000..46a7b978de00df0dced72132dd8dd51d63860457
--- /dev/null
+++ b/install_recovery.te
@@ -0,0 +1,31 @@
+# service flash_recovery in init.rc
+type install_recovery, domain;
+type install_recovery_exec, exec_type, file_type;
+
+permissive_or_unconfined(install_recovery)
+
+init_daemon_domain(install_recovery)
+
+allow install_recovery self:capability dac_override;
+
+# /system/bin/install-recovery.sh is a shell script.
+# Needs to execute /system/bin/sh
+allow install_recovery shell_exec:file rx_file_perms;
+
+# Execute /system/bin/applypatch
+allow install_recovery system_file:file rx_file_perms;
+
+# Update the recovery block device
+# TODO: Limit this to only recovery block device when we
+# create an appropriate label for it.
+allow install_recovery block_device:dir search;
+allow install_recovery block_device:blk_file rw_file_perms;
+
+# Create and delete /cache/saved.file
+allow install_recovery cache_file:dir rw_dir_perms;
+allow install_recovery cache_file:file create_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+# TODO: create a specific label for this file instead of allowing
+# write for all /proc files.
+allow install_recovery proc:file w_file_perms;