diff --git a/file.te b/file.te
index 782fae70f4498e0368c4e4a7b51baf765973823d..bbfd665c88110511e39c4d0e9dae6ef6cab33109 100644
--- a/file.te
+++ b/file.te
@@ -110,6 +110,7 @@ type systemkeys_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type wifi_data_file, file_type, data_file_type;
 type zoneinfo_data_file, file_type, data_file_type;
+type vold_data_file, file_type, data_file_type;
 
 # Compatibility with type names used in vanilla Android 4.3 and 4.4.
 typealias audio_data_file alias audio_firmware_file;
diff --git a/file_contexts b/file_contexts
index 92b8d32302be1bfdf1898660b25e488844654a6e..e20638e380695edf1814742cc31499fd10cd5674 100644
--- a/file_contexts
+++ b/file_contexts
@@ -236,6 +236,7 @@
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
diff --git a/init.te b/init.te
index 909490d300b84189962dec4fded70f4f72a97dab..78f460a4d69edab27a3c2a190a6cf5e9dd86b640 100644
--- a/init.te
+++ b/init.te
@@ -82,10 +82,10 @@ allow init rootfs:file relabelfrom;
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
 allow init sysfs_type:{ dir file lnk_file } relabelto;
@@ -156,6 +156,11 @@ allow init domain:process sigkill;
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };
 
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
+
 # Init creates /data/local/tmp at boot
 allow init shell_data_file:dir { open create read getattr setattr search };
 allow init shell_data_file:file { getattr };
diff --git a/vold.te b/vold.te
index 0a42b2db07b95f731fc96c63f99541bc23a4aa54..c2bd06487c77733ea44064da0b9852a68ed89548 100644
--- a/vold.te
+++ b/vold.te
@@ -129,3 +129,12 @@ allow vold metadata_block_device:blk_file rw_file_perms;
 # Allow init to manipulate /data/unencrypted
 allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -init } vold_data_file:dir *;
+neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;