diff --git a/domain.te b/domain.te
index 9ecb1371dbbbc2e4447c476f1329ae5c22e4626c..7cc7f133cee9e3b651aef896c3e6965f49f43d23 100644
--- a/domain.te
+++ b/domain.te
@@ -199,3 +199,8 @@ neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read
 # Rather force a relabel to a more specific type.
 # ueventd is exempt from this, as its managing these devices.
 neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
diff --git a/init.te b/init.te
index bab0df369fb57d289a1606595a049195630acf7f..84fbf5a0fd3cfe4f489f29f97fee64c81a21f942 100644
--- a/init.te
+++ b/init.te
@@ -7,6 +7,7 @@ relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;
 
+allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;
diff --git a/kernel.te b/kernel.te
index dfc6258252021e92c20bf414acb54e8a1aa92c0d..106d48ec7b875ee78f9a39651a9418b5d9334504 100644
--- a/kernel.te
+++ b/kernel.te
@@ -9,6 +9,7 @@ relabelto_domain(kernel)
 
 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;
+allow kernel fs_type:filesystem *;
 
 # Initial setenforce by init prior to switching to init domain.
 allow kernel self:security setenforce;
diff --git a/recovery.te b/recovery.te
index abcf0cfd4251813f286f95e7173bfe6739ad2e64..37d645593caff66aeff9fec738049e8f9d1fe7d9 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,6 +8,7 @@ allow recovery self:capability2 mac_admin;
 
 allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;
+allow recovery fs_type:filesystem *;
 
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
diff --git a/unconfined.te b/unconfined.te
index 8d424f3eef2f10f14d2619774fea5763c9ee0b27..ac0de840f006f56f475f27a9d675db38931bb571 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -28,7 +28,6 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};