diff --git a/domain.te b/domain.te
index c575bdf57676876661a0b8c249e3edf1a0e660a9..11dd58c56dfb79e71c5cb6eeb77e7995378f2295 100644
--- a/domain.te
+++ b/domain.te
@@ -332,6 +332,7 @@ neverallow {
   -update_engine
   -vold
   -recovery
+  -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Only servicemanager should be able to register with binder as the context manager
diff --git a/ueventd.te b/ueventd.te
index e446207286c812d9821cebcb3ad0ca95fc0055d9..3c4ba20b8b087215337293c104c7ae5b851e6e51 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -21,7 +21,7 @@ allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
-allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd dev_type:blk_file { relabelfrom relabelto create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;