diff --git a/domain.te b/domain.te
index fcb813af58e0f27bfacbcf76e579aaf6cbf51f55..3851506948625298497bd24f592e736d9076dcf2 100644
--- a/domain.te
+++ b/domain.te
@@ -170,8 +170,8 @@ auditallow { domain -service_manager_local_audit } service_manager_type:service_
 ### neverallow rules
 ###
 
-# Do not allow any confined domain to create new unlabeled files.
-neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
+# Do not allow any domain other than init or recovery to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
@@ -231,7 +231,7 @@ neverallow domain kernel:security setbool;
 neverallow { domain -init } kernel:security setsecparam;
 
 # Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
+neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
@@ -258,8 +258,9 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
-# ueventd is exempt from this, as its managing these devices.
-neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+# init is exempt from this as there are character devices that only it uses.
+# ueventd is exempt from this, as it is managing these devices.
+neverallow { domain -init -ueventd } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
diff --git a/init.te b/init.te
index d12cc230cc6ecb28072a6dd89c2e3de08b140ddb..cce2e418c9b6e949e00111b39a606fbaa52c76ec 100644
--- a/init.te
+++ b/init.te
@@ -106,6 +106,24 @@ allow init kernel:process setsched;
 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
 allow init swap_block_device:blk_file rw_file_perms;
 
+# Read from /dev/hw_random if present.
+# system/core/init/init.c - mix_hwrng_into_linux_rng_action
+allow init hw_random_device:chr_file r_file_perms;
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done.
+# TODO:  Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+auditallow init device:file create_file_perms;
+
+# Access character devices without a specific type,
+# e.g. /dev/keychord.
+# TODO: Move these devices into their own type unless they
+# are only ever accessed by init.
+allow init device:chr_file { rw_file_perms setattr };
+auditallow init device:chr_file { rw_file_perms setattr };
+
 ###
 ### neverallow rules
 ###
diff --git a/unconfined.te b/unconfined.te
index a76c3d8a9a3ab272bc16ce365491ab4b0bfcfeec..1a51942324df15a6aa3a5a02f48f46c2617e8288 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -55,6 +55,7 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
     -app_data_file
+    -unlabeled
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:dir r_dir_perms;
 allow unconfineddomain exec_type:file { r_file_perms execute };
@@ -69,8 +70,9 @@ allow unconfineddomain {
     -contextmount_type
     -rootfs
     -sdcard_type
+    -device
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
+allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {
     file_type
     -keystore_data_file
@@ -80,6 +82,7 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
     -app_data_file
+    -unlabeled
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;