diff --git a/public/kernel.te b/public/kernel.te
index d1463dcd74f2dafcb9aeb572a60c878807b49b56..a93c8e908b32433e6869fa1d2a1f30bad1c06de4 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -73,6 +73,9 @@ userdebug_or_eng(`
 allow kernel media_rw_data_file:dir create_dir_perms;
 allow kernel media_rw_data_file:file create_file_perms;
 
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file read;
+
 ###
 ### neverallow rules
 ###
diff --git a/public/vold.te b/public/vold.te
index 88de4fda70ae777d9957bd1c9b95057c0f04e09b..f4a391693f4e28aaa128d8f3500d241f9aeff26f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -175,9 +175,9 @@ allow vold user_profile_data_file:dir create_dir_perms;
 allow vold misc_block_device:blk_file w_file_perms;
 
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
 neverallow vold fsck_exec:file execute_no_trans;