diff --git a/domain.te b/domain.te
index 73043f57ebbd52707e106eab506cdb3b4d09f0fe..a1a782be73c0c901b785ab2fdd0efbe82a57053b 100644
--- a/domain.te
+++ b/domain.te
@@ -187,7 +187,13 @@ neverallow {
 } self:capability sys_ptrace;
 
 # Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
+neverallow {
+  domain
+  -kernel
+  -init
+  -ueventd
+  -vold
+} self:capability mknod;
 
 # Limit raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
diff --git a/healthd.te b/healthd.te
index a1019ee92374b5c5a48d34487579843006c76235..cd5429be129f61b2f227f1452efbcbdff7296c97 100644
--- a/healthd.te
+++ b/healthd.te
@@ -2,12 +2,10 @@
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
 
-write_klog(healthd)
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by healthd.
-allow healthd tmpfs:chr_file { read write };
+# Write to /dev/kmsg
+allow healthd kmsg_device:chr_file rw_file_perms;
 
-allow healthd self:capability { net_admin mknod sys_tty_config };
+allow healthd self:capability { net_admin sys_tty_config };
 wakelock_use(healthd)
 allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
 binder_use(healthd)
diff --git a/slideshow.te b/slideshow.te
index 2b82b3e01a1c72d3c2f493ea4b0c92c1c9e6c732..86d4bff2e32746b180a43f2b0d44924acfb1819d 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -2,10 +2,10 @@
 # it lives in the rootfs and has no unique file type.
 type slideshow, domain;
 
-write_klog(slideshow)
+allow slideshow kmsg_device:chr_file rw_file_perms;
 wakelock_use(slideshow)
 allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow self:capability sys_tty_config;
 allow slideshow graphics_device:dir r_dir_perms;
 allow slideshow graphics_device:chr_file rw_file_perms;
 allow slideshow input_device:dir r_dir_perms;
diff --git a/te_macros b/te_macros
index a76bb5df3af3dcd1a3d23990628e04cc184afd7b..99a9411e43241ddc999a95a04223aec838adcf90 100644
--- a/te_macros
+++ b/te_macros
@@ -281,17 +281,6 @@ define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
 ')
 
-#####################################
-# write_klog(domain)
-# Ability to write to kernel log via
-# klog_write()
-# See system/core/libcutil/klog.c
-define(`write_klog', `
-type_transition $1 device:chr_file klog_device "__kmsg__";
-allow $1 klog_device:chr_file { create open write unlink };
-allow $1 device:dir { write add_name remove_name };
-')
-
 #####################################
 # create_pty(domain)
 # Allow domain to create and use a pty, isolated from any other domain ptys.
diff --git a/ueventd.te b/ueventd.te
index 23c93ad85bd9d33a93463490c06852b64814a9c1..f4884d70345aad4c0861618862c825819f74d555 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,7 +2,12 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
-write_klog(ueventd)
+
+# TODO: why is ueventd using __kmsg__ when it should just create
+# and use /dev/kmsg instead?
+type_transition ueventd device:chr_file klog_device "__kmsg__";
+allow ueventd klog_device:chr_file { create open write unlink };
+
 security_access_policy(ueventd)
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
diff --git a/vold.te b/vold.te
index 4ee45b91d6ff24f80a1d2aa58a74f9a4c26c9626..a1aef72fd742917b8c2c8849b6143caafb180d6e 100644
--- a/vold.te
+++ b/vold.te
@@ -81,7 +81,7 @@ allow vold self:capability { sys_ptrace kill };
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
-write_klog(vold)
+allow vold kmsg_device:chr_file rw_file_perms;
 
 # Run fsck.
 allow vold fsck_exec:file rx_file_perms;
diff --git a/watchdogd.te b/watchdogd.te
index ab9356000f1c28f4a01079145e7347201d1f225e..00292a9a9914311711ad4ab7e785a89134659b20 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,9 +1,4 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-allow watchdogd self:capability mknod;
-allow watchdogd device:dir { add_name write remove_name };
 allow watchdogd watchdog_device:chr_file rw_file_perms;
-# because of /dev/__kmsg__ and /dev/__null__
-write_klog(watchdogd)
-type_transition watchdogd device:chr_file null_device "__null__";
-allow watchdogd null_device:chr_file { create unlink };
+allow watchdogd kmsg_device:chr_file rw_file_perms;