diff --git a/domain.te b/domain.te
index d9935fe877f00b51973406db54971d5edc7004b5..1aa99594b295a254a6995f8511899451b7cad74c 100644
--- a/domain.te
+++ b/domain.te
@@ -297,6 +297,9 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
+# Don't allow mounting on top of /system files or directories
+neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+
 # Nothing should be writing to files in the rootfs.
 neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };