diff --git a/domain.te b/domain.te
index 80d2328d1908c6c723f7ceb3c9d7f26b64059db6..70814282331468bf8505903a9679b3c6ab433071 100644
--- a/domain.te
+++ b/domain.te
@@ -270,7 +270,7 @@ neverallow {
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
 
 # Protect most domains from executing arbitrary content from /data.
 neverallow {
diff --git a/file.te b/file.te
index 0c5593da920920451429738eae1f3aa10c9a6c98..25c4c06605332f97ac3f7fed82c0b4fdaaf7af44 100644
--- a/file.te
+++ b/file.te
@@ -145,9 +145,10 @@ typealias app_data_file alias platform_app_data_file;
 typealias app_data_file alias download_file;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
-# Type for /cache/.*\.{data|restore} and default
-# type for anything under /cache/backup
+# Type for /cache/backup_stage/* (fd interchange with apps)
 type cache_backup_file, file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type;
 # Type for anything under /cache/recovery
 type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
diff --git a/file_contexts b/file_contexts
index 55212d4a792056e290258b66dc1917d5ee457d60..f2927801a9a98d3d1d4aed4325bb9b638a348cfc 100644
--- a/file_contexts
+++ b/file_contexts
@@ -319,11 +319,12 @@
 # Cache files
 #
 /cache(/.*)?		u:object_r:cache_file:s0
-/cache/.*\.data	u:object_r:cache_backup_file:s0
-/cache/.*\.restore	u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this directory
-/cache/backup(/.*)?	u:object_r:cache_backup_file:s0
 /cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)?	u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)?		u:object_r:cache_private_backup_file:s0
+
 #############################
 # sysfs files
 #
diff --git a/system_server.te b/system_server.te
index 979dd0caff74ffa4b92a5677938673dcaecccfe8..2bb21a37b18f3e66f8efea71d9adbfa140eddcd1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -337,14 +337,12 @@ allow system_server { appdomain autoplay_app }:{ fifo_file unix_stream_socket }
 # Allow abstract socket connection
 allow system_server rild:unix_stream_socket connectto;
 
-# BackupManagerService lets PMS create a data backup file
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
 allow system_server cache_backup_file:file create_file_perms;
-# Relabel /data/backup
-allow system_server backup_data_file:dir { relabelto relabelfrom };
-# Relabel /cache/.*\.{data|restore}
-allow system_server cache_backup_file:file { relabelto relabelfrom };
-# LocalTransport creates and relabels /cache/backup
-allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
 
 # Allow system to talk to usb device
 allow system_server usb_device:chr_file rw_file_perms;