diff --git a/domain.te b/domain.te
index 7bc2292d50e1f9a3a04a40cc2ea440d938c684be..44612414fc75f5f65732626de02050b9caf7d4d9 100644
--- a/domain.te
+++ b/domain.te
@@ -93,6 +93,7 @@ allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain properties_device:file r_file_perms;
 allow domain init:key search;
+allow domain vold:key search;
 
 # logd access
 write_logd(domain)
diff --git a/init.te b/init.te
index 9f624ba778b5b97b14d2ea4208f0a757b3f0da04..89ddac79ec3570dccac5f8bd4f3a03e4c801d4b0 100644
--- a/init.te
+++ b/init.te
@@ -257,11 +257,7 @@ allow init pstorefs:file r_file_perms;
 # linux keyring configuration
 allow init init:key { write search setattr };
 
-# Allow init to link temp fs to unencrypted data on userdata
-allow init tmpfs:lnk_file { create read getattr relabelfrom };
-
-# Allow init to manipulate /data/unencrypted
-allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow init to create /data/unencrypted
 allow init unencrypted_data_file:dir create_dir_perms;
 
 unix_socket_connect(init, vold, vold)
diff --git a/vold.te b/vold.te
index e72822c93202490cc08ad3fa8907eec2d23272fa..2cbb306d178ef57c9fada173892aca3778c6813e 100644
--- a/vold.te
+++ b/vold.te
@@ -143,14 +143,18 @@ allow vold userdata_block_device:blk_file rw_file_perms;
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
 
-# Allow init to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
 
 # Give vold a place where only vold can store files; everyone else is off limits
 allow vold vold_data_file:dir rw_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;