diff --git a/file.te b/file.te
index 3bbf9a5b4fb286b6c19e24f5af8675a5926bf94f..5e8687a72a975b585fdc4d560e39222021d37085 100644
--- a/file.te
+++ b/file.te
@@ -6,6 +6,8 @@ type rootfs, fs_type;
 type proc, fs_type;
 # Security-sensitive proc nodes that should not be writable to most.
 type proc_security, fs_type;
+# Type for /proc/sys/vm/drop_caches
+type proc_drop_caches, fs_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 1c6b56cf2912184783381bbbc2c025061bde7acf..9f895da08de1b4ffb3a856474710b3aedc03b32d 100644
--- a/file_contexts
+++ b/file_contexts
@@ -267,6 +267,7 @@
 /mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)?      u:object_r:dalvikcache_data_file:s0
 /mnt/expand/[^/]+/local/tmp(/.*)?                   u:object_r:shell_data_file:s0
 /mnt/expand/[^/]+/media(/.*)?                       u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)?                   u:object_r:vold_data_file:s0
 
 # coredump directory for userdebug/eng devices
 /cores(/.*)?                    u:object_r:coredump_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index f7967860a788865fe79b3c76b549793dbebb3520..cdf65bc63d54650130996f3e2853396579701500 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -20,6 +20,7 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
 
diff --git a/install_recovery.te b/install_recovery.te
index 138522036e9c164ca19dc4d0c62f5485748ef576..2d80b0874f92d228b1d3ec34282867e914604b2f 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -23,6 +23,4 @@ allow install_recovery cache_file:dir rw_dir_perms;
 allow install_recovery cache_file:file create_file_perms;
 
 # Write to /proc/sys/vm/drop_caches
-# TODO: create a specific label for this file instead of allowing
-# write for all /proc files.
-allow install_recovery proc:file w_file_perms;
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/recovery.te b/recovery.te
index 29f1a50ec5337b1ad4375e3757169a86fddd4464..2aad68bb1eb68e567a0e0f2e23bde89a3fa67a17 100644
--- a/recovery.te
+++ b/recovery.te
@@ -41,8 +41,7 @@ recovery_only(`
   allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
 
   # Write to /proc/sys/vm/drop_caches
-  # TODO: create more specific label?
-  allow recovery proc:file w_file_perms;
+  allow recovery proc_drop_caches:file w_file_perms;
 
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
diff --git a/vold.te b/vold.te
index 191b63cb985ec86efd5edfaeb07baa987591ae23..1a1913e0462b603dfb32afaa589e3c1517f27243 100644
--- a/vold.te
+++ b/vold.te
@@ -144,8 +144,11 @@ allow vold metadata_block_device:blk_file rw_file_perms;
 allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
 
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
 # Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };