diff --git a/domain.te b/domain.te
index 787ce36dd19d4f1fccb722f24d4667682a817e6a..1a3feb4351db37f7d1154d6354187812864f3568 100644
--- a/domain.te
+++ b/domain.te
@@ -278,7 +278,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
diff --git a/init.te b/init.te
index 069f041dbf384d737a6784bfad3d6185824206fc..2c00cb4848f747ff02550cb98d4b47db29a53eb1 100644
--- a/init.te
+++ b/init.te
@@ -28,6 +28,9 @@ allow init contextmount_type:filesystem relabelto;
 allow init contextmount_type:dir r_dir_perms;
 allow init contextmount_type:notdevfile_class_set r_file_perms;
 
+# restorecon /adb_keys or any other rootfs files to a more specific type.
+allow init rootfs:file relabelfrom;
+
 # restorecon and restorecon_recursive calls from init.rc files.
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so