diff --git a/private/blkid.te b/private/blkid.te
new file mode 100644
index 0000000000000000000000000000000000000000..9c4cfccc80b624ef925828488b8ddd97f5850caa
--- /dev/null
+++ b/private/blkid.te
@@ -0,0 +1,20 @@
+# blkid called from vold
+
+type blkid_exec, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/private/blkid_untrusted.te b/private/blkid_untrusted.te
new file mode 100644
index 0000000000000000000000000000000000000000..ae18e6860c30f063f51a01711d6b443c6b09465d
--- /dev/null
+++ b/private/blkid_untrusted.te
@@ -0,0 +1,35 @@
+# blkid for untrusted block devices
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+  dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/public/blkid.te b/public/blkid.te
index c8df183f865bb8c1cbfb2ccad4f3652c99a0217a..dabe01452062f9d2d4c8fdb9938633daff89e548 100644
--- a/public/blkid.te
+++ b/public/blkid.te
@@ -1,20 +1,2 @@
 # blkid called from vold
 type blkid, domain;
-type blkid_exec, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/public/blkid_untrusted.te b/public/blkid_untrusted.te
index cbbbbae5780cf5d74bf6231fd561d503830e8e0f..4be4c0cb2371e5b89d6b8b05f534944e2aa9f72b 100644
--- a/public/blkid_untrusted.te
+++ b/public/blkid_untrusted.te
@@ -1,36 +1,2 @@
 # blkid for untrusted block devices
 type blkid_untrusted, domain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
-  boot_block_device
-  frp_block_device
-  metadata_block_device
-  recovery_block_device
-  root_block_device
-  swap_block_device
-  system_block_device
-  userdata_block_device
-  cache_block_device
-  dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;