diff --git a/public/domain.te b/public/domain.te
index 9bc9e4e3bfd7f9a0db928de78cc6291987cd7559..f28da11c549958a78629ac980dad563743b7feed 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -481,10 +481,10 @@ neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
   { append link rename write open read ioctl lock };
 
 # No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
 
 # No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
 
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.