diff --git a/domain.te b/domain.te
index bd59be158..e544281f1 100644
--- a/domain.te
+++ b/domain.te
@@ -294,6 +294,8 @@ neverallow {
     -appdomain # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file }:file execute;
 
 # Only the init property service should write to /data/property.
 neverallow { domain -init } property_data_file:dir no_w_dir_perms;