diff --git a/public/attributes b/public/attributes
index 2b28cf020c6137c690bac3f66154af0030723616..268f1386bb357084a46360ad2b330af5181c9c58 100644
--- a/public/attributes
+++ b/public/attributes
@@ -29,6 +29,7 @@ attribute exec_type;
 
 # All types used for /data files.
 attribute data_file_type;
+expandattribute data_file_type false;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
 # All types in /vendor
diff --git a/public/file.te b/public/file.te
index bf8223a5ec77735053f7e1de1cbe218b151f6122..56533189c22846c051a2738c1dbdb02b1c37045c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -218,13 +218,13 @@ type app_data_file, file_type, data_file_type, core_data_file_type;
 type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
 # Default type for anything under /cache
-type cache_file, file_type, mlstrustedobject;
+type cache_file, file_type, data_file_type, mlstrustedobject;
 # Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, mlstrustedobject;
+type cache_backup_file, file_type, data_file_type, mlstrustedobject;
 # type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type;
+type cache_private_backup_file, file_type, data_file_type;
 # Type for anything under /cache/recovery
-type cache_recovery_file, file_type, mlstrustedobject;
+type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
@@ -252,7 +252,7 @@ type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedob
 
 # Socket types
 type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, coredomain_socket;
 type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
 type dumpstate_socket, file_type, coredomain_socket;
 type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
@@ -262,22 +262,22 @@ type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
 type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
 type mdns_socket, file_type, coredomain_socket;
 type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type;
+type misc_logd_file, coredomain_socket, file_type, data_file_type;
 type mtpd_socket, file_type, coredomain_socket;
 type netd_socket, file_type, coredomain_socket;
 type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, coredomain_socket;
-type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type, coredomain_socket;
 type uncrypt_socket, file_type, coredomain_socket;
 type vold_socket, file_type, coredomain_socket;
 type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type;
+type wpa_socket, file_type, data_file_type;
 type zygote_socket, file_type, coredomain_socket;
 # UART (for GPS) control proc file
 type gps_control, file_type;
diff --git a/public/recovery.te b/public/recovery.te
index 99d792cbe64abccac3d169d0be3d06593d0c67a8..f705241910cec040c0dac0ac22f6788fa9355b91 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -145,5 +145,13 @@ recovery_only(`
 # domains, including recovery.
 #
 # TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
+neverallow recovery {
+   data_file_type
+   -cache_file
+   -cache_recovery_file
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+   data_file_type
+   -cache_file
+   -cache_recovery_file
+}:dir no_w_dir_perms;
diff --git a/vendor/file.te b/vendor/file.te
index aeafb4aa64ba3d1989728dd69a85c259453cb7bb..3350b1e0b6badfdd70c716d39eb40acb1fb4fad8 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
 # Socket types
-type hostapd_socket, file_type;
+type hostapd_socket, file_type, data_file_type;