diff --git a/private/odrefresh.te b/private/odrefresh.te
index d71630992..cb8a535a5 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -5,7 +5,7 @@ type odrefresh_exec, system_file_type, exec_type, file_type;
 # Allow odrefresh to create files and directories for on device signing.
 allow odrefresh apex_module_data_file:dir { getattr search };
 allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
+allow odrefresh apex_art_data_file:file { create_file_perms relabelto } ;
 
 # Allow odrefresh to create data files (typically for metrics before statsd starts).
 allow odrefresh odrefresh_data_file:dir create_dir_perms;
@@ -16,7 +16,7 @@ userfaultfd_use(odrefresh)
 # Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
 # sets up files here and passes file descriptors for dex2oat to write to.
 allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
+allow odrefresh apex_art_staging_data_file:file { create_file_perms relabelfrom };
 
 # Run dex2oat in its own sandbox.
 domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
@@ -58,3 +58,10 @@ neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_f
 # odrefresh_data_files.
 neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
 neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
+
+# Read access to SELinux context files, for restorecon.
+allow odrefresh file_contexts_file:file r_file_perms;
+allow odrefresh seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(odrefresh)