diff --git a/domain.te b/domain.te
index a853b3a3d83f657326c4cf98ada615abc2176a47..b33ae642fb568eea75df636e802f86daad50d4cf 100644
--- a/domain.te
+++ b/domain.te
@@ -284,6 +284,7 @@ neverallow {
 neverallow {
     domain
     -appdomain # for oemfs
+    -bootanim # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed