diff --git a/device.te b/device.te
index 880212cd474e051be3d36745b309d1ab02945a8e..06006b26dde849471af13933d84178a4ce6972a3 100644
--- a/device.te
+++ b/device.te
@@ -41,7 +41,7 @@ type urandom_device, dev_type, mlstrustedobject;
 type video_device, dev_type;
 type vcs_device, dev_type;
 type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type;
+type fuse_device, dev_type, mlstrustedobject;
 type iio_device, dev_type;
 type ion_device, dev_type, mlstrustedobject;
 type gps_device, dev_type;
diff --git a/domain.te b/domain.te
index c76e04400cd8e677aab77daba6a066d663fa4b6e..aac71fcb1950b673f2f12e3d6d0b7552ce8ae357 100644
--- a/domain.te
+++ b/domain.te
@@ -517,3 +517,22 @@ neverallow domain domain:file { execute execute_no_trans entrypoint };
 # more specific label.
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+
+neverallow {
+  domain
+  -init
+  -recovery
+  -sdcardd
+  -vold
+} fuse_device:chr_file open;
+neverallow {
+  domain
+  -dumpstate
+  -init
+  -priv_app
+  -recovery
+  -sdcardd
+  -system_server
+  -ueventd
+  -vold
+} fuse_device:chr_file *;
diff --git a/priv_app.te b/priv_app.te
index 5ad563e4dd422eda2ffb3ac567488bee19e3590c..8ced18da7323097c672f4f60ee14892ba89c61cf 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -66,6 +66,10 @@ userdebug_or_eng(`
 # the system partition
 allow priv_app exec_type:file getattr;
 
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
 ###
 ### neverallow rules
 ###
diff --git a/system_server.te b/system_server.te
index 40fd9ac4c8d11679ae1cfb7dd720530b4a7903f9..293a215947bc65bc89efb85cac429607c4dc4543 100644
--- a/system_server.te
+++ b/system_server.te
@@ -447,6 +447,10 @@ userdebug_or_eng(`
   allow system_server kernel:system syslog_read;
 ')
 
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl };
+
 ###
 ### Neverallow rules
 ###
diff --git a/vold.te b/vold.te
index c8952af02cd09dc3e2c63b17dcced412b521924d..35e502f3d679784718dc97b255757a10df275215 100644
--- a/vold.te
+++ b/vold.te
@@ -164,6 +164,9 @@ allow vold self:capability sys_nice;
 allow vold self:capability sys_chroot;
 allow vold storage_file:dir mounton;
 
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;