diff --git a/recovery.te b/recovery.te
index cd2447c2f..282ed3e4d 100644
--- a/recovery.te
+++ b/recovery.te
@@ -30,6 +30,11 @@ recovery_only(`
   allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
+  # We may be asked to set an SELinux label for a type not known to the
+  # currently loaded policy. Allow it.
+  allow recovery unlabeled:file { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
   # support to OTAs. However, that code has a bug. When an update occurs,
   # some directories are inappropriately labeled as exec_type. This is