diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 4628314f3c2a557687a6619b3c949504f59df0d1..8d9ccd6720730fe93db722c492c48505ddc2d4a7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -93,9 +93,7 @@ neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_fil
 # application un-installation.
 neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
-  -fuse                     # sdcard
-  -sdcardfs                 # sdcard
-  -vfat
+  -sdcard_type
   file_type
   -app_data_file            # The apps sandbox itself
   -media_rw_data_file       # Internal storage. Known that apps can
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 71c7a007445f8a5bb97ebf474085f6b7572c9c96..bc847ee9139b4b8d26bc3d7f81d756f38fc3fedf 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -18,6 +18,7 @@
     crossprofileapps_service
     e2fs
     e2fs_exec
+    exfat
     exported_bluetooth_prop
     exported_config_prop
     exported_dalvik_prop
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 94c81d0cb8332f2a6915bdbe12a583a1a3dfbeda..0e8c16422587f3efa9f7a64487e872ac80519e3d 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,7 @@
     bpfloader_exec
     cgroup_bpf
     crossprofileapps_service
+    exfat
     exported2_config_prop
     exported2_default_prop
     exported2_radio_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index c261afa9e8ad369e94184f52a0e316bcf7ea36cc..ce26d73a69efedc4663de19afb358d5d7d2b2444 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -229,6 +229,7 @@ genfscon debugfs /tracing/events/lowmemorykiller/
 
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index 80b20e1454e0cb8cd5efba77de2c2ad9e3c2796c..f60597a7ef59918bbe2d4405781b6777b8e0bd82 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -34,8 +34,8 @@ allow platform_app cache_file:file create_file_perms;
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer
 allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
 
 # com.android.systemui
 allow platform_app rootfs:dir getattr;
diff --git a/public/app.te b/public/app.te
index 5df558e398eea4ef9f7dce2c4acb7d0c9aa2fba6..ac11a3a108eeb4f449a1c21304752a2bdf5c07c1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -260,19 +260,12 @@ allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
 allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
diff --git a/public/file.te b/public/file.te
index 156fce141519249a0ef180f6f7870de867ed0f4a..c5844b60e720ae4fe8546291e09f90b0383a8202 100644
--- a/public/file.te
+++ b/public/file.te
@@ -108,6 +108,7 @@ type mqueue, fs_type;
 type fuse, sdcard_type, fs_type, mlstrustedobject;
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
 type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index d5f2ef6fe440e7e8342ebd0703032b8efc4cc688..c8051e142f8f8e17439cc638ca7bc6f54b5107d1 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,7 +49,14 @@ neverallow hal_configstore_server {
 }:{ file fifo_file sock_file } *;
 
 # Should never need sdcard access
-neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+neverallow hal_configstore_server {
+    sdcard_type
+    fuse sdcardfs vfat exfat        # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+    sdcard_type
+    fuse sdcardfs vfat exfat        # manual expansion for completeness
+}:file *;
 
 # Do not permit access to service_manager and vndservice_manager
 neverallow hal_configstore_server *:service_manager *;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 31859aa5179608b03c9d7687faf3b675a09e2a3f..5f8cc41ca10a3b1cba2db638ffce849b014a0933 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -21,7 +21,6 @@ allow hal_telephony_server efs_file:file create_file_perms;
 allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
 allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
 allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
-allow hal_telephony_server sdcard_type:dir r_dir_perms;
 
 # property service
 set_prop(hal_telephony_server, radio_prop)