diff --git a/domain.te b/domain.te
index e544281f167f1785acb51e8a837433ff09b54192..f787d4a7af9195a3083443683856bbae3a78d934 100644
--- a/domain.te
+++ b/domain.te
@@ -354,6 +354,14 @@ neverallow {
   -dex2oat
 } dalvikcache_data_file:file no_w_file_perms;
 
+neverallow {
+  domain
+  -init
+  -installd
+  -dex2oat
+  -zygote
+} dalvikcache_data_file:dir no_w_dir_perms;
+
 # Only system_server should be able to send commands via the zygote socket
 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
 neverallow { domain -system_server } zygote_socket:sock_file write;