diff --git a/private/adbd.te b/private/adbd.te
index bde6864bae6b5ca0c677236585c0b7918372f511..58038c70e07e0507cff7b63af04e25f072280257 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -12,6 +12,14 @@ userdebug_or_eng(`
   allow adbd su:process dyntransition;
 ')
 
+# When 'adb shell' is executed in recovery mode, adbd explicitly
+# switches into shell domain using setcon() because the shell executable
+# is not labeled as shell but as rootfs.
+recovery_only(`
+  domain_trans(adbd, rootfs, shell)
+  allow adbd shell:process dyntransition;
+')
+
 # Do not sanitize the environment or open fds of the shell. Allow signaling
 # created processes.
 allow adbd shell:process { noatsecure signal };
@@ -148,4 +156,4 @@ allow adbd rootfs:dir r_dir_perms;
 # transitions to the shell domain (except when it crashes). In particular, we
 # never want to see a transition from adbd to su (aka "adb root")
 neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
+neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
diff --git a/public/kernel.te b/public/kernel.te
index b7a351cc87dfab004b486692116b7a062b88961f..cf913ba6859ccdc48319b3f2b3e5f35b41d4a454 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -103,3 +103,18 @@ neverallow kernel *:file { entrypoint execute_no_trans };
 # Instead of adding dac_{read_search,override}, fix the unix permissions
 # on files being accessed.
 neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
+
+# Allow the first-stage init (which is running in the kernel domain) to execute the
+# dynamic linker when it re-executes /init to switch into the second stage.
+# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
+# before the domain is switched to the target domain. So, we need to allow the kernel
+# domain (the source domain) to execute the dynamic linker (system_file type).
+# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
+# kernel older than 4.8.
+allow kernel system_file:file execute;
+# The label for the dynamic linker is rootfs in the recovery partition. This is because
+# the recovery partition which is rootfs does not support xattr and thus labeling can't be
+# done at build-time. All files are by default labeled as rootfs upon booting.
+recovery_only(`
+  allow kernel rootfs:file execute;
+')
diff --git a/public/recovery.te b/public/recovery.te
index 57ad2028be1bf6913d39a5aacf1a0bd4dc5c8db2..48fffe645cf8312dff291e1473e027aa8610e2c3 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -30,6 +30,7 @@ recovery_only(`
 
   # Mount filesystems.
   allow recovery rootfs:dir mounton;
+  allow recovery tmpfs:dir mounton;
   allow recovery fs_type:filesystem ~relabelto;
   allow recovery unlabeled:filesystem ~relabelto;
   allow recovery contextmount_type:filesystem relabelto;
diff --git a/public/shell.te b/public/shell.te
index 4293f529abd62bbc0f9c1b18fb6cad9c79550bbd..8e6ae4cdd3af0f10890bb3c9596192438570b90e 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -199,6 +199,12 @@ allow shell sepolicy_file:file r_file_perms;
 # Allow shell to start up vendor shell
 allow shell vendor_shell_exec:file rx_file_perms;
 
+# Everything is labeled as rootfs in recovery mode. Allow shell to
+# execute them.
+recovery_only(`
+  allow shell rootfs:file rx_file_perms;
+')
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/ueventd.te b/public/ueventd.te
index 9b9eacb252a23d237e17a6e43db4b114799d86fc..0cac32d489a9fcdf6e3cf2e5468f45d76841eb36 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -39,6 +39,12 @@ allow ueventd self:process setfscreate;
 # Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
 allow ueventd proc_cmdline:file r_file_perms;
 
+# Everything is labeled as rootfs in recovery mode. ueventd has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+  allow ueventd rootfs:file { r_file_perms execute };
+')
+
 #####
 ##### neverallow rules
 #####
diff --git a/public/vendor_init.te b/public/vendor_init.te
index ad69437a6cf6bf756f3f3539bc1c61ca9784f993..6307f2cf6ef332d3bd6eb4f68f7091fee22f38ec 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -155,6 +155,12 @@ allow vendor_init self:global_capability_class_set sys_admin;
 # Raw writes to misc block device
 allow vendor_init misc_block_device:blk_file w_file_perms;
 
+# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
+# the dynamic linker and shared libraries.
+recovery_only(`
+  allow vendor_init rootfs:file { r_file_perms execute };
+')
+
 not_compatible_property(`
     set_prop(vendor_init, {
       property_type