diff --git a/device.te b/device.te
index adee1d7bf74f87bf185b70d01d44687e899921d1..788d9cb2e7537f22fcd32737cab3345a76ec2c8a 100644
--- a/device.te
+++ b/device.te
@@ -67,3 +67,9 @@ type root_block_device, dev_type;
 
 # factory reset protection block device
 type frp_block_device, dev_type;
+
+# Userdata block device mounted on /data.
+type userdata_block_device, dev_type;
+
+# Cache block device mounted on /cache.
+type cache_block_device, dev_type;
diff --git a/uncrypt.te b/uncrypt.te
index 265a8b1a6a6a6c31e7a7a389b1d17f702437e537..1c180646dda52d3d09030c93cae73144b9a1f616 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -28,3 +28,7 @@ allow uncrypt powerctl_prop:property_service set;
 allow uncrypt self:capability sys_rawio;
 allow uncrypt block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file rw_file_perms;
+auditallow uncrypt userdata_block_device:blk_file rw_file_perms;
diff --git a/vold.te b/vold.te
index 0247bfea93e5dbfb3820d791d5d395167cd9b8db..620089602fda72762bc08d77f810db3cd8884eb4 100644
--- a/vold.te
+++ b/vold.te
@@ -89,3 +89,6 @@ binder_call(vold, healthd)
 # talk to keymaster
 allow vold tee_device:chr_file rw_file_perms;
 
+# Access userdata block device.
+allow vold userdata_block_device:blk_file rw_file_perms;
+auditallow vold userdata_block_device:blk_file rw_file_perms;