diff --git a/public/domain.te b/public/domain.te
index 1dc2a41df92effb9b219bea9ff6de36574391c0f..2f3d8f1b4738131cc91f640f329d756fe37c3f9d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1187,6 +1187,12 @@ neverallow {
   -installd # creation of sandbox
 } app_data_file:dir_file_class_set { create unlink };
 
+neverallow {
+  domain
+  -init
+  -installd
+} app_data_file:dir_file_class_set { relabelfrom relabelto };
+
 #
 # Only these domains should transition to shell domain. This domain is
 # permissible for the "shell user". If you need a process to exec a shell