diff --git a/file.te b/file.te
index 4f75d379d65d2dd85190948273b56bdcef27dda0..ac4220fd49ead70dff0f53f15c176d6c7f00cf5d 100644
--- a/file.te
+++ b/file.te
@@ -41,6 +41,9 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# /data/.layout_version or other installd-created files that
+# are created in a system_data_file directory.
+type install_data_file, file_type, data_file_type;
 # /data/drm - DRM plugin data
 type drm_data_file, file_type, data_file_type;
 # /data/anr - ANR traces
diff --git a/file_contexts b/file_contexts
index ce263905988044865e52b541a605277b3bdec899..0926d745f7c73ceb40d6c2a0c02ae0706bb72536 100644
--- a/file_contexts
+++ b/file_contexts
@@ -164,6 +164,7 @@
 # Data files
 #
 /data(/.*)?		u:object_r:system_data_file:s0
+/data/.layout_version		u:object_r:install_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
 /data/security(/.*)?	u:object_r:security_file:s0
diff --git a/installd.te b/installd.te
index 8f332b2487eeb75fcee736148b5011016d76054c..cabebc6aabf00676ed6bfbccee2707ec0f71e2ab 100644
--- a/installd.te
+++ b/installd.te
@@ -31,7 +31,8 @@ allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;
 
 # Create /data/.layout_version.* file
-allow installd system_data_file:file create_file_perms;
+type_transition installd system_data_file:file install_data_file;
+allow installd install_data_file:file create_file_perms;
 
 # Create files under /data/dalvik-cache.
 allow installd dalvikcache_data_file:dir create_dir_perms;
@@ -49,9 +50,9 @@ allow installd unlabeled:dir { getattr search relabelfrom };
 allow installd unlabeled:notdevfile_class_set { getattr relabelfrom };
 
 # Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it.
+# Just need enough to relabel it and to unlink removed package files.
 # Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom };
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
 
 # Manage /data/data subdirectories, including initially labeling them
 # upon creation via setfilecon or running restorecon_recursive,