diff --git a/domain.te b/domain.te
index 731e0c4943727647dbc752f8bc43b893bec71ba5..1e3b2fb2b0ae62b18886d67ba696f87a8e962d36 100644
--- a/domain.te
+++ b/domain.te
@@ -362,3 +362,7 @@ neverallow {
 # that over time, the kernel global tables used to implement SysV IPCs will fill
 # up.
 neverallow domain domain:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
diff --git a/unconfined.te b/unconfined.te
index d9a5b04e630ca8b73378bfa960d9111d6b922108..559ed593a334baa335dc1a435f629e5005c39ac5 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -43,8 +43,8 @@ allow unconfineddomain domain:{
     tun_socket
 } *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
+allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
 allow unconfineddomain {
     file_type
     -keystore_data_file
@@ -55,7 +55,7 @@ allow unconfineddomain {
     -shell_data_file
     -app_data_file
     -unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
 allow unconfineddomain exec_type:dir r_dir_perms;
 allow unconfineddomain exec_type:file { r_file_perms execute };
 allow unconfineddomain exec_type:lnk_file r_file_perms;