diff --git a/recovery.te b/recovery.te
index 2d400cd41c4a4de637be967bd0a2157e49b0affd..951c49824cad3f108ce8e58628d4dc7ce4151902 100644
--- a/recovery.te
+++ b/recovery.te
@@ -20,9 +20,14 @@ recovery_only(`
   allow recovery fs_type:filesystem *;
   allow recovery unlabeled:filesystem *;
 
-  # Create and relabel files under /system.
-  allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
-  allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
+  # Create and relabel files and directories under /system.
+  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
+
+  # Write to /proc/sys/vm/drop_caches
+  # TODO: create more specific label?
+  allow recovery proc:file w_file_perms;
 
   # Required to e.g. wipe userdata/cache.
   allow recovery block_device:dir r_dir_perms;