diff --git a/public/postinstall.te b/public/postinstall.te
index 7fd4dc61183db9d44b5968b631ebe62bead6c271..2ef68bdffe833fb52caaa4a1bb480808ab8105d3 100644
--- a/public/postinstall.te
+++ b/public/postinstall.te
@@ -19,6 +19,11 @@ allow postinstall shell_exec:file rx_file_perms;
 allow postinstall system_file:file rx_file_perms;
 allow postinstall toolbox_exec:file rx_file_perms;
 
+# Allow postinstall to execute shell in recovery.
+recovery_only(`
+  allow postinstall rootfs:file rx_file_perms;
+')
+
 #
 # For OTA dexopt.
 #