diff --git a/fsck.te b/fsck.te
index a86884c03277cb343427cce72eb25515a2efd923..6a3d1ee44f44304fefec7f68130559fb2c68c3d8 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,4 +1,4 @@
-# Any fsck program run by init or vold
+# Any fsck program run by init
 type fsck, domain;
 type fsck_exec, exec_type, file_type;
 
@@ -15,11 +15,6 @@ allow fsck devpts:chr_file { read write ioctl getattr };
 allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck vold_device:blk_file rw_file_perms;
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
 
 ###
 ### neverallow rules
@@ -34,9 +29,10 @@ neverallow fsck {
   root_block_device
   swap_block_device
   system_block_device
+  vold_device
 }:blk_file no_rw_file_perms;
 
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
+# Only allow entry from init via fsck binaries
+neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;
 neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/vold.te b/vold.te
index cde7c7719eb9a01583b8c04c771a50886a5d86d8..0a42b2db07b95f731fc96c63f99541bc23a4aa54 100644
--- a/vold.te
+++ b/vold.te
@@ -8,7 +8,7 @@ init_daemon_domain(vold)
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
 domain_auto_trans(vold, blkid_exec, blkid);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);
-domain_auto_trans(vold, fsck_exec, fsck);
+domain_auto_trans(vold, fsck_exec, vold_fsck);
 
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
diff --git a/vold_fsck.te b/vold_fsck.te
new file mode 100644
index 0000000000000000000000000000000000000000..e45c527108323f878045b193ae6cd0c0a4ddd951
--- /dev/null
+++ b/vold_fsck.te
@@ -0,0 +1,35 @@
+# Any fsck program run by vold
+type vold_fsck, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow vold_fsck devpts:chr_file { read write ioctl getattr };
+
+# Run fsck on certain block devices
+allow vold_fsck block_device:dir search;
+allow vold_fsck vold_device:blk_file rw_file_perms;
+
+# Allow stdin/out back to vold
+allow vold_fsck vold:fd use;
+allow vold_fsck vold:fifo_file { read write getattr };
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow vold_fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } vold_fsck:process transition;
+neverallow domain vold_fsck:process dyntransition;
+neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;