diff --git a/system_server.te b/system_server.te
index 6ab48e76bc78271ec7ba0f76c3fc0e28733cefa1..7baf3ee4a20208f4e8e195c30f82958b69109152 100644
--- a/system_server.te
+++ b/system_server.te
@@ -314,8 +314,9 @@ allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_
 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
-# Run system programs, e.g. dexopt.
+# Run system programs, e.g. dexopt. Needed? (b/28035297)
 allow system_server system_file:file x_file_perms;
+auditallow system_server system_file:file execute_no_trans;
 
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
@@ -467,13 +468,24 @@ neverallow system_server sdcard_type:file rw_file_perms;
 # those types that system_server needs to open directly.
 neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
 
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server { file_type -toolbox_exec -logcat_exec -system_file }:file execute_no_trans;
+
+# System server should never transition to a new domain. This compliments
+# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
+neverallow system_server *:process { transition dyntransition };
+
 # system_server should never be executing dex2oat. This is either
 # a bug (for example, bug 16317188), or represents an attempt by
 # system server to dynamically load a dex file, something we do not
 # want to allow.
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
-# system_server should never execute anything from /data except for /data/dalvik-cache files.
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
 neverallow system_server {
   data_file_type
   -dalvikcache_data_file #mapping with PROT_EXEC