diff --git a/domain.te b/domain.te
index bb8badd98e51e73cb0e9e705d223a639e4b7e644..1224c6522d248e1faaace11b201aacc8bd8f8fb8 100644
--- a/domain.te
+++ b/domain.te
@@ -230,7 +230,7 @@ neverallow {
   -init
   -kernel
   -shell # For CTS and is restricted to getattr in shell.te
-  -ueventd
+  -ueventd # Further restricted in ueventd.te
 } kmem_device:chr_file *;
 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 
@@ -345,6 +345,7 @@ neverallow {
   -recovery
   -system_server
   -shell # Shell is further restricted in shell.te
+  -ueventd # Further restricted in ueventd.te
 } frp_block_device:blk_file rw_file_perms;
 
 # No domain other than recovery and update_engine can write to system partition(s).
diff --git a/ueventd.te b/ueventd.te
index 3c4ba20b8b087215337293c104c7ae5b851e6e51..ec7e9a1acfcad36978e0cbd4a8010710fd9aedff 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -20,8 +20,8 @@ allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
 allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;
@@ -39,3 +39,9 @@ allow ueventd self:process setfscreate;
 neverallow ueventd property_socket:sock_file write;
 neverallow ueventd init:unix_stream_socket connectto;
 neverallow ueventd property_type:property_service set;
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom kmem_device
+neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };