diff --git a/app.te b/app.te
index 94dcfc5bdd443dd337a25c75b804c9998f36c891..48aebbf0a00cf09661cff0e2bb99063367a4c02c 100644
--- a/app.te
+++ b/app.te
@@ -390,6 +390,7 @@ neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
 neverallow appdomain {
   apk_data_file
   cache_file
+  cache_recovery_file
   dev_type
   rootfs
   system_file
diff --git a/domain.te b/domain.te
index aac71fcb1950b673f2f12e3d6d0b7552ce8ae357..787e79868c5035bfe4aba4489b12cdcf2c353d7b 100644
--- a/domain.te
+++ b/domain.te
@@ -258,7 +258,7 @@ neverallow {
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
 
 # Protect most domains from executing arbitrary content from /data.
 neverallow {
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 7be9a3e8c7f9d874cf2792ceea282ee30917fc3a..d9b8d6b8eaec493db8912b537f35c777993855b8 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,9 +49,14 @@ allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:dir r_dir_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read };
+allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
+
+# Likely not needed. auditallow to be sure
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms;
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read };
+auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
 
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };
diff --git a/dumpstate.te b/dumpstate.te
index b7c0103e76fe93c7f45ed91b1d1b64d1608f0cd2..667c8fc6b56674092a6bf726554d2128deea05a6 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -109,6 +109,10 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
 allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
diff --git a/file.te b/file.te
index 1fbda3c0da7804ba9448dad5fbb293ced75cb4a8..eb25377e8b3bd97a07f0a18b86d49e5d2c33bc3e 100644
--- a/file.te
+++ b/file.te
@@ -146,6 +146,8 @@ type cache_file, file_type, mlstrustedobject;
 # Type for /cache/.*\.{data|restore} and default
 # type for anything under /cache/backup
 type cache_backup_file, file_type, mlstrustedobject;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
diff --git a/file_contexts b/file_contexts
index f2f8013c7cc95fd3fc83365fd89833fde039ae90..e553821c824e427e3a0ffe2d82afe0955ca5c307 100644
--- a/file_contexts
+++ b/file_contexts
@@ -319,6 +319,7 @@
 /cache/.*\.restore	u:object_r:cache_backup_file:s0
 # LocalTransport (backup) uses this directory
 /cache/backup(/.*)?	u:object_r:cache_backup_file:s0
+/cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
 #############################
 # sysfs files
 #
diff --git a/install_recovery.te b/install_recovery.te
index b11ff7497a4c7362522212aa2c4f1925aa10e502..1c47236ea93f19ea705ff1c1590367578cdb04f9 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -21,8 +21,11 @@ allow install_recovery boot_block_device:blk_file r_file_perms;
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
+allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
+allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
+auditallow install_recovery cache_recovery_file:file create_file_perms;
 
 # Write to /proc/sys/vm/drop_caches
 allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/platform_app.te b/platform_app.te
index 16ed2cab280a7236550a8a2fe8de30ccedfffdd2..e5cd0a66020e742cffc2ec1a9c4cd0ce875a47b0 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -25,8 +25,12 @@ allow platform_app media_rw_data_file:dir create_dir_perms;
 allow platform_app media_rw_data_file:file create_file_perms;
 
 # Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
+allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow platform_app { cache_file cache_recovery_file }:file create_file_perms;
+
+# Likely not needed
+auditallow platform_app cache_recovery_file:dir create_dir_perms;
+auditallow platform_app cache_recovery_file:file create_file_perms;
 
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer
diff --git a/priv_app.te b/priv_app.te
index 7baed2e95a90e9c46c7b6700f3796549f2e0f2be..4a25787ab3f7163baec048c75d7da12555ef82e6 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -35,8 +35,11 @@ allow priv_app persistent_data_block_service:service_manager find;
 allow priv_app mnt_media_rw_file:dir search;
 
 # Write to /cache.
-allow priv_app cache_file:dir create_dir_perms;
-allow priv_app cache_file:file create_file_perms;
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow priv_app cache_recovery_file:dir create_dir_perms;
+auditallow priv_app cache_recovery_file:file create_file_perms;
 
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;
diff --git a/recovery.te b/recovery.te
index b4eb2851222d4a1136fe56cd3d5e3b730ebada11..d2cc90ea2fc538d1e4817d8ae575fdd765334299 100644
--- a/recovery.te
+++ b/recovery.te
@@ -73,9 +73,9 @@ recovery_only(`
   allow recovery tmpfs:file { create_file_perms x_file_perms };
   allow recovery tmpfs:dir create_dir_perms;
 
-  # Manage files on /cache
-  allow recovery cache_file:dir create_dir_perms;
-  allow recovery cache_file:file create_file_perms;
+  # Manage files on /cache and /cache/recovery
+  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
 
   # Read files on /oem.
   r_dir_file(recovery, oemfs);
diff --git a/system_server.te b/system_server.te
index ee0d97dd4657dfc64d99454a8eaf0fcd9aa5c50d..2efc8c23763286490081051de0b2ba392eeb8d5d 100644
--- a/system_server.te
+++ b/system_server.te
@@ -313,9 +313,9 @@ type_transition system_server system_data_file:sock_file system_ndebug_socket "n
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 # Manage cache files.
-allow system_server cache_file:dir { relabelfrom create_dir_perms };
-allow system_server cache_file:file { relabelfrom create_file_perms };
-allow system_server cache_file:fifo_file create_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
diff --git a/uncrypt.te b/uncrypt.te
index 7608538c3c2899ce822d978998eb89bd17da29ad..354bda0043088e6c2fccde552b8f2a152c29c7e6 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -17,9 +17,9 @@ userdebug_or_eng(`
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
 # Write to pipe file /cache/recovery/uncrypt_status
-allow uncrypt cache_file:dir rw_dir_perms;
-allow uncrypt cache_file:file create_file_perms;
-allow uncrypt cache_file:fifo_file w_file_perms;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+allow uncrypt cache_recovery_file:fifo_file w_file_perms;
 
 # Set a property to reboot the device.
 set_prop(uncrypt, powerctl_prop)
diff --git a/untrusted_app.te b/untrusted_app.te
index b26c538fcc4b67716a1b82acb83c3ba5a418fc47..9e418731c2a0c7a9dd65dfcfa42c8ec0bdfc8912 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -155,5 +155,5 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 neverallowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
 
 # Do not allow untrusted_app access to /cache
-neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
-neverallow untrusted_app cache_file:file ~{ read getattr };
+neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };