diff --git a/domain.te b/domain.te
index 0f5590bc8b83b4ed2ac2ee617aeba6037d0e61e3..bed4e67f6b0653b2f0c0b76055462988344bac67 100644
--- a/domain.te
+++ b/domain.te
@@ -363,6 +363,7 @@ neverallow {
   -update_engine
   -vold
   -recovery
+  -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Only servicemanager should be able to register with binder as the context manager
diff --git a/ueventd.te b/ueventd.te
index fb726631942573b5f72aa25d3c4fd933eaf31c14..3881445ee321fdb3c518d4cecd636d8174b052d1 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -23,7 +23,7 @@ allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;