diff --git a/public/domain.te b/public/domain.te
index ffbb54d68283668b29e140c3bde9b8e4538ea0e1..eb02021fd0a767935ec93187ec15201e5b063c02 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -239,7 +239,7 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
 neverallowxperm * devpts:chr_file ioctl TIOCSTI;
 
 # Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init } unlabeled:dir_file_class_set create;
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
 # Limit device node creation to these whitelisted domains.
 neverallow {
diff --git a/public/recovery.te b/public/recovery.te
index f6ad47feffef280604597512aff5bcae9b64604c..05cc195e1a710c39dccbb5db2f4b3b5a21ee9bb7 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,7 +12,15 @@ recovery_only(`
   # Recovery can only use HALs in passthrough mode
   passthrough_hal_client_domain(recovery, hal_bootctl)
 
-  allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config };
+  allow recovery self:global_capability_class_set {
+    chown
+    dac_override
+    fowner
+    setuid
+    setgid
+    sys_admin
+    sys_tty_config
+  };
 
   # Run helpers from / or /system without changing domain.
   r_dir_file(recovery, rootfs)
@@ -26,6 +34,11 @@ recovery_only(`
   allow recovery unlabeled:filesystem ~relabelto;
   allow recovery contextmount_type:filesystem relabelto;
 
+  # We may be asked to set an SELinux label for a type not known to the
+  # currently loaded policy. Allow it.
+  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
   # Get file contexts
   allow recovery file_contexts_file:file r_file_perms;