diff --git a/domain.te b/domain.te
index a1a782be73c0c901b785ab2fdd0efbe82a57053b..eda9091d0f3b41809fd57c9dac6bcaf1900b9512 100644
--- a/domain.te
+++ b/domain.te
@@ -193,6 +193,7 @@ neverallow {
   -init
   -ueventd
   -vold
+  -recovery
 } self:capability mknod;
 
 # Limit raw I/O to these whitelisted domains.