diff --git a/system_server.te b/system_server.te
index c67f2f9fc7fda0a646f6b71a397a31d93de2518a..51e40eb558c96d9260b50eab4b6bdb5f83355ad0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -489,3 +489,9 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # Types extracted from seapp_contexts type= fields, excluding
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;