diff --git a/domain.te b/domain.te
index bf3295c8392c305bc29a174d27312264e1d86d4a..fc4cfd85a010d4c1d414aed32521cc0bf77113e1 100644
--- a/domain.te
+++ b/domain.te
@@ -93,6 +93,7 @@ allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain properties_device:file r_file_perms;
 allow domain init:key search;
+allow domain vold:key search;
 
 # logd access
 write_logd(domain)
diff --git a/init.te b/init.te
index 9f624ba778b5b97b14d2ea4208f0a757b3f0da04..89ddac79ec3570dccac5f8bd4f3a03e4c801d4b0 100644
--- a/init.te
+++ b/init.te
@@ -257,11 +257,7 @@ allow init pstorefs:file r_file_perms;
 # linux keyring configuration
 allow init init:key { write search setattr };
 
-# Allow init to link temp fs to unencrypted data on userdata
-allow init tmpfs:lnk_file { create read getattr relabelfrom };
-
-# Allow init to manipulate /data/unencrypted
-allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow init to create /data/unencrypted
 allow init unencrypted_data_file:dir create_dir_perms;
 
 unix_socket_connect(init, vold, vold)
diff --git a/vold.te b/vold.te
index 1a1913e0462b603dfb32afaa589e3c1517f27243..6a8d82f0f914caf3bb9ce3b077bcb19c3d9f8433 100644
--- a/vold.te
+++ b/vold.te
@@ -140,8 +140,8 @@ allow vold userdata_block_device:blk_file rw_file_perms;
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
 
-# Allow init to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
 
 # Write to /proc/sys/vm/drop_caches
@@ -151,6 +151,10 @@ allow vold proc_drop_caches:file w_file_perms;
 allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;