diff --git a/update_engine.te b/update_engine.te
index c5786928e48d19c3bfe056f627d25ead461d5b6c..5542b489863735e55c3b0332a1136f0ceae01391 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -28,6 +28,11 @@ allow update_engine block_device:dir search;
 allow update_engine boot_block_device:blk_file rw_file_perms;
 allow update_engine system_block_device:blk_file rw_file_perms;
 
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine misc_block_device:blk_file rw_file_perms;
+
 # Don't allow kernel module loading, just silence the logs.
 dontaudit update_engine kernel:system module_request;