diff --git a/app.te b/app.te
index 80c40aac8a1c02070ab1b300ce095aaf553608fb..02e3f11aa88258b87677b40becde0d73e6081622 100644
--- a/app.te
+++ b/app.te
@@ -9,6 +9,7 @@
 
 # Dalvik Compiler JIT Mapping.
 allow appdomain self:process execmem;
+allow appdomain ashmem_device:chr_file execute;
 
 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)
diff --git a/system_server.te b/system_server.te
index 4c73627eeca67e3de6209c4a15e59a610d072757..1b60ea7166e84f79fce28060022094e704395964 100644
--- a/system_server.te
+++ b/system_server.te
@@ -5,8 +5,13 @@
 type system_server, domain, mlstrustedsubject;
 permissive system_server;
 
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
 # Dalvik Compiler JIT Mapping.
 allow system_server self:process execmem;
+allow system_server ashmem_device:chr_file execute;
+allow system_server system_server_tmpfs:file execute;
 
 # For art.
 allow system_server dalvikcache_data_file:file execute;
@@ -95,7 +100,6 @@ unix_socket_send(system_server, wpa, wpa)
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 
 # Perform Binder IPC.
-tmpfs_domain(system_server)
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
diff --git a/te_macros b/te_macros
index 3ccb86feac79065b6b193b612b76bd2457841ab4..a05b7aca24893f3da1359df7541a2b0e1e3999de 100644
--- a/te_macros
+++ b/te_macros
@@ -88,8 +88,7 @@ typeattribute $1 unconfineddomain;
 define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
-# Map with PROT_EXEC.
-allow $1 $1_tmpfs:file { read write execute execmod };
+allow $1 $1_tmpfs:file { read write };
 ')
 
 #####################################
@@ -108,6 +107,8 @@ define(`app_domain', `
 typeattribute $1 appdomain;
 # Label ashmem objects with our own unique type.
 tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
 ')
 
 #####################################
@@ -163,8 +164,6 @@ allow $1 $3:unix_dgram_socket sendto;
 define(`binder_use', `
 # Call the servicemanager and transfer references to it.
 allow $1 servicemanager:binder { call transfer };
-# Map /dev/ashmem with PROT_EXEC.
-allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
 # all domains in domain.te.
 ')