diff --git a/domain.te b/domain.te
index e6058bb4019c7a3954f8a697302a7fd3a82dde80..82b5f0d6a0a148002cef2bef3182e85f1934b3f7 100644
--- a/domain.te
+++ b/domain.te
@@ -347,6 +347,7 @@ neverallow {
   -update_engine
   -vold
   -recovery
+  -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Only servicemanager should be able to register with binder as the context manager
diff --git a/ueventd.te b/ueventd.te
index e446207286c812d9821cebcb3ad0ca95fc0055d9..3c4ba20b8b087215337293c104c7ae5b851e6e51 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -21,7 +21,7 @@ allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;