diff --git a/domain.te b/domain.te
index 06c0bddbcee2017bafdfb8e99dc1c57aad015800..d9935fe877f00b51973406db54971d5edc7004b5 100644
--- a/domain.te
+++ b/domain.te
@@ -331,3 +331,13 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
 
 # Only servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager } *:binder set_context_mgr;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+# (excluding /data/dalvik-cache/profiles, which is labeled differently)
+neverallow {
+  domain
+  -init # TODO: limit init to relabelfrom for files
+  -zygote
+  -installd
+  -dex2oat
+} dalvikcache_data_file:file no_w_file_perms;
diff --git a/unconfined.te b/unconfined.te
index 32044eccc1c973a8e88a5fa189796476c7f7a995..385af469f521b5b4eeecc7cbc2016dd4ee24e0fe 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -83,6 +83,7 @@ allow unconfineddomain {
     -shell_data_file
     -app_data_file
     -unlabeled
+    -dalvikcache_data_file
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;