diff --git a/init.te b/init.te
index c05fabaa5..68eab2efb 100644
--- a/init.te
+++ b/init.te
@@ -23,3 +23,8 @@ allow init recovery:process transition;
 allow init shell:process transition;
 allow init ueventd:process transition;
 allow init watchdogd:process transition;
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
diff --git a/installd.te b/installd.te
index 5ff68f3de..7a9af8b27 100644
--- a/installd.te
+++ b/installd.te
@@ -11,9 +11,9 @@ allow installd system_data_file:lnk_file create;
 allow installd dalvikcache_data_file:file create_file_perms;
 allow installd dalvikcache_profiles_data_file:dir create_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
-allow installd data_file_type:dir create_dir_perms;
-allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file_class_set } { getattr unlink };
+allow installd { data_file_type -keystore_data_file }:dir create_dir_perms;
+allow installd { data_file_type -keystore_data_file }:dir { relabelfrom relabelto };
+allow installd { data_file_type -keystore_data_file }:{ file_class_set } { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd oemfs:dir r_dir_perms;
diff --git a/keystore.te b/keystore.te
index f89504fbc..e92efaa4f 100644
--- a/keystore.te
+++ b/keystore.te
@@ -11,3 +11,15 @@ allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;
+
+###
+### Neverallow rules
+###
+### Protect our files from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
+neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
diff --git a/system_server.te b/system_server.te
index bd6c88ed0..7a9d06327 100644
--- a/system_server.te
+++ b/system_server.te
@@ -168,8 +168,8 @@ allow system_server adbd_socket:sock_file rw_file_perms;
 allow system_server tun_device:chr_file rw_file_perms;
 
 # Manage data files.
-allow system_server data_file_type:dir create_dir_perms;
-allow system_server data_file_type:notdevfile_class_set create_file_perms;
+allow system_server { data_file_type -keystore_data_file }:dir create_dir_perms;
+allow system_server { data_file_type -keystore_data_file }:notdevfile_class_set create_file_perms;
 
 # Read /file_contexts and /data/security/file_contexts
 security_access_policy(system_server)
diff --git a/unconfined.te b/unconfined.te
index 9b5f8c9e6..8eda0979f 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -28,10 +28,10 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type -keystore_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;