diff --git a/file_contexts b/file_contexts
index 5ca2852dec94e6eb296ccaf29ddaeb1329ec4301..2255436c15b415f43e34e8d1500f314b51573467 100644
--- a/file_contexts
+++ b/file_contexts
@@ -178,6 +178,7 @@
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
 
 #############################
 # Vendor files
diff --git a/idmap.te b/idmap.te
new file mode 100644
index 0000000000000000000000000000000000000000..1ab497ee07d8755d93cc83a5aa38358d2de2d93c
--- /dev/null
+++ b/idmap.te
@@ -0,0 +1,10 @@
+# idmap, when executed by installd
+type idmap, domain;
+type idmap_exec, exec_type, file_type;
+
+# Use open file to /data/resource-cache file inherited from installd.
+allow idmap installd:fd use;
+allow idmap resourcecache_data_file:file { getattr read write };
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;
diff --git a/installd.te b/installd.te
index a47853f80547a9c3d20e638c7c5a7a4bc8fdcf08..54f276a7194f1dc9185770fa092f057ae897d23d 100644
--- a/installd.te
+++ b/installd.te
@@ -20,7 +20,6 @@ allow installd apk_tmp_file:file { r_file_perms unlink };
 allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
-allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 allow installd mnt_expand_file:dir search;
 # Check validity of SELinux context before use.
@@ -71,6 +70,9 @@ allow installd resourcecache_data_file:file create_file_perms;
 # Run dex2oat in its own sandbox.
 domain_auto_trans(installd, dex2oat_exec, dex2oat)
 
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/zygote.te b/zygote.te
index 0dba9b6193e6a0882150107c2cd37a1f46f7fcb8..2b869c0e4b9345fc913b2d19d0948d3ffc004a3e 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,8 +31,10 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
-# Execute dexopt.
-allow zygote system_file:file x_file_perms;
+# Execute idmap and dex2oat within zygote's own domain.
+# TODO:  Should either of these be transitioned to the same domain
+# used by installd or stay in-domain for zygote?
+allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;