diff --git a/app.te b/app.te
index 40de074db8615789c6743878bd724b0a351d137f..a78fad16a690a34b811696e2a5cfd523bb00fcb1 100644
--- a/app.te
+++ b/app.te
@@ -367,3 +367,14 @@ neverallow appdomain fs_type:filesystem ~getattr;
 # Ability to set system properties.
 neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
     property_type:property_service set;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+  apk_data_file
+  cache_file
+  dev_type
+  rootfs
+  system_file
+  security_file
+  tmpfs
+}:lnk_file no_w_file_perms;