diff --git a/public/domain.te b/public/domain.te
index b464fc6bf465898bc793ddbc6a216a233034aac9..f732676d57bd17e3746a5fae66c6b12119b58102 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -653,3 +653,10 @@ neverallow {
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
 neverallow * ~{ system_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+  domain
+  -recovery
+} self:capability setfcap;