diff --git a/app.te b/app.te
index 5cef948fe..090088f08 100644
--- a/app.te
+++ b/app.te
@@ -46,7 +46,7 @@ binder_call(appdomain, surfaceflinger)
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.
diff --git a/untrusted_app.te b/untrusted_app.te
index 80f60da60..2630f9e14 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -15,6 +15,10 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app app_data_file:file rx_file_perms;
+
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
 # Internal SDCard rw access.