diff --git a/domain.te b/domain.te
index 466e48a470c5a8a2cf6bb0cde6345544ea83b70e..787ce36dd19d4f1fccb722f24d4667682a817e6a 100644
--- a/domain.te
+++ b/domain.te
@@ -277,6 +277,9 @@ neverallow { domain -init } property_data_file:file { create setattr relabelfrom
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
+# Nothing should be writing to files in the rootfs.
+neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
+
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
 neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
diff --git a/unconfined.te b/unconfined.te
index 97a7da19dd169b518f82759a5edbee96ed24437e..f3c88a093944084a40e28be61a580164aa3cf516 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -70,6 +70,7 @@ allow unconfineddomain {
     -usermodehelper
     -proc_security
     -contextmount_type
+    -rootfs
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {