diff --git a/device.te b/device.te
index c1f3d283cd07ca4d7be62fed1f19ec8d0d586dfc..20e95a5dab8bdcbc519264b7be4c019212a725bb 100644
--- a/device.te
+++ b/device.te
@@ -11,6 +11,7 @@ type dm_device, dev_type;
 type loop_device, dev_type;
 type radio_device, dev_type;
 type ram_device, dev_type;
+type vold_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
 type fscklogs, dev_type;
@@ -82,3 +83,8 @@ type cache_block_device, dev_type;
 
 # Block device for any swap partition.
 type swap_block_device, dev_type;
+
+# Metadata block device used for encryption metadata.
+# Assign this type to the partition specified by the encryptable=
+# mount option in your fstab file in the entry for userdata.
+type metadata_block_device, dev_type;
diff --git a/file_contexts b/file_contexts
index 2efd7e957fd906591e93ae71affa15b5cbcc7100..4325cf3daa3141bd8241cd2c076c0e8a6bb4b88d 100644
--- a/file_contexts
+++ b/file_contexts
@@ -40,7 +40,9 @@
 /dev/audio.*		u:object_r:audio_device:s0
 /dev/binder		u:object_r:binder_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0
+/dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
+/dev/block/vold/[0-9]+:[0-9]+	u:object_r:vold_device:s0
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
 /dev/cam		u:object_r:camera_device:s0
diff --git a/vold.te b/vold.te
index ef3924b34b7274eeb4cfbb40b76ce3c6109ccddb..f605f8a77710343a8fce8a34bce03ca2480d8690 100644
--- a/vold.te
+++ b/vold.te
@@ -5,9 +5,11 @@ type vold_exec, exec_type, file_type;
 init_daemon_domain(vold)
 
 typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold block_device:blk_file create_file_perms;
+auditallow vold block_device:blk_file create_file_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
@@ -22,8 +24,10 @@ allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner
 allow vold self:netlink_kobject_uevent_socket create_socket_perms;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file rw_file_perms;
+allow vold loop_device:blk_file create_file_perms;
+allow vold vold_device:blk_file create_file_perms;
 allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
@@ -94,4 +98,6 @@ allow vold tee_device:chr_file rw_file_perms;
 
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;
-auditallow vold userdata_block_device:blk_file rw_file_perms;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;