diff --git a/device.te b/device.te
index abe5daaf9..c1f3d283c 100644
--- a/device.te
+++ b/device.te
@@ -68,6 +68,12 @@ type root_block_device, dev_type;
 # factory reset protection block device
 type frp_block_device, dev_type;
 
+# System block device mounted on /system.
+type system_block_device, dev_type;
+
+# Recovery block device.
+type recovery_block_device, dev_type;
+
 # Userdata block device mounted on /data.
 type userdata_block_device, dev_type;
 
diff --git a/domain.te b/domain.te
index 8e9d8c446..86aeb07d8 100644
--- a/domain.te
+++ b/domain.te
@@ -318,3 +318,9 @@ neverallow domain default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;
 
 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+
+# No domain other than recovery can write to system.
+neverallow { domain -recovery } system_block_device:blk_file write;
+
+# No domains other than install_recovery or recovery can write to recovery.
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
diff --git a/install_recovery.te b/install_recovery.te
index 138134ae5..52326859a 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -18,6 +18,8 @@ allow install_recovery system_file:file rx_file_perms;
 # create an appropriate label for it.
 allow install_recovery block_device:dir search;
 allow install_recovery block_device:blk_file rw_file_perms;
+auditallow install_recovery block_device:blk_file rw_file_perms;
+allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
 allow install_recovery cache_file:dir rw_dir_perms;