diff --git a/domain.te b/domain.te
index 5ac6b460f6d2e338944cab11a0da64b2e01ce837..1fb2ef8b9131d75d661e4958ef68cc08bf957e20 100644
--- a/domain.te
+++ b/domain.te
@@ -159,7 +159,7 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 
 # Limit device node creation and raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod };
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
 
 # No domain needs mac_override as it is unused by SELinux.
 neverallow domain self:capability2 mac_override;
@@ -203,7 +203,7 @@ neverallow domain init:binder call;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/file_contexts b/file_contexts
index d4315b0318ec6424a348e9e84da67cdb1841c2df..81698d1ef673216cc474db71894668c7dc035c6a 100644
--- a/file_contexts
+++ b/file_contexts
@@ -150,6 +150,7 @@
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
+/system/bin/uncrypt     u:object_r:uncrypt_exec:s0
 #############################
 # Vendor files
 #
diff --git a/uncrypt.te b/uncrypt.te
new file mode 100644
index 0000000000000000000000000000000000000000..aea66684821c2185a544e005ecfa37542ed24750
--- /dev/null
+++ b/uncrypt.te
@@ -0,0 +1,25 @@
+# uncrypt
+type uncrypt, domain;
+type uncrypt_exec, exec_type, file_type;
+
+init_daemon_domain(uncrypt)
+permissive_or_unconfined(uncrypt)
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+r_dir_file(uncrypt, app_data_file)
+
+# Create tmp file /cache/recovery/command.tmp
+# Read /cache/recovery/command
+# Rename /cache/recovery/command.tmp to /cache/recovery/command
+allow uncrypt cache_file:dir rw_dir_perms;
+allow uncrypt cache_file:file create_file_perms;
+
+# Set a property to reboot the device.
+unix_socket_connect(uncrypt, property, init)
+allow uncrypt powerctl_prop:property_service set;
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt block_device:blk_file w_file_perms;