diff --git a/public/app.te b/public/app.te
index 7f51574b3d181c81405bf22030ff7331bf41dfd8..14e3011a15608662b4a7409cc9dc6099c12bb597 100644
--- a/public/app.te
+++ b/public/app.te
@@ -215,7 +215,7 @@ allow appdomain shared_relro_file:file r_file_perms;
 
 # Allow apps to read/execute installed binaries
 allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file { rx_file_perms execmod };
+allow appdomain apk_data_file:file rx_file_perms;
 
 # /data/resource-cache
 allow appdomain resourcecache_data_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 56424e928a27ecb0759132be5894daffe1741ad5..66b1d8a54adb6183ebf4007b514bbedc56ad4559 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -483,7 +483,7 @@ neverallow * self:process { execstack execheap };
 
 # prohibit non-zygote spawned processes from using shared libraries
 # with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -untrusted_app } file_type:file execmod;
 
 neverallow { domain -init } proc:{ file dir } mounton;
 
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index b968728b2ec617f608096290f80263e3a65b1304..9f62b77e9cbf8bb19f3115ca2e6fe339400d133f 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -25,6 +25,9 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# Legacy text relocations
+allow untrusted_app apk_data_file:file execmod;
+
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow untrusted_app app_data_file:file { rx_file_perms execmod };