diff --git a/public/domain.te b/public/domain.te
index d3fac7096..2621d8182 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -608,6 +608,8 @@ neverallow {
 neverallow {
   domain
   -fastbootd
+  userdebug_or_eng(`-fsck')
+  userdebug_or_eng(`-init')
   -recovery
   -update_engine
 } system_block_device:blk_file { write append };
diff --git a/public/fsck.te b/public/fsck.te
index dbbe34cdc..7a9fbeef1 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -18,6 +18,9 @@ allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
 
 # For the block devices where we have ioctl access,
 # allow at a minimum the following common fsck ioctls.
@@ -55,6 +58,7 @@ neverallow fsck {
   root_block_device
   swap_block_device
   system_block_device
+  userdebug_or_eng(`-system_block_device')
   vold_device
 }:blk_file no_rw_file_perms;
 
diff --git a/public/init.te b/public/init.te
index 02302b2a7..7f5b3fc41 100644
--- a/public/init.te
+++ b/public/init.te
@@ -317,6 +317,8 @@ allow init proc_filesystems:file r_file_perms;
 userdebug_or_eng(`
   # Overlayfs workdir write access check during mount to permit remount,rw
   allow init overlayfs_file:dir { relabelfrom mounton write };
+  allow init overlayfs_file:file { append };
+  allow init system_block_device:blk_file { write };
 ')
 
 allow init {