diff --git a/domain.te b/domain.te
index d835ee940e59c9c32028c156e3d37f336f709b5b..005b2b34f73f6898698dda5ddcb3894e879b5125 100644
--- a/domain.te
+++ b/domain.te
@@ -262,7 +262,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_fi
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
 # ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -init -ueventd } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
@@ -300,7 +300,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow domain { system_file exec_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
-neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.