diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index eb4cdc1943507814087090b277402508113f855b..819b7a31b4bbd1621ceb6d49c4d97e4889be1dea 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -43,3 +43,12 @@ allow update_engine_common proc_cmdline:file r_file_perms;
 
 # Read files in /sys/firmware/devicetree/base/firmware/android/
 r_dir_file(update_engine_common, sysfs_dt_firmware_android)
+
+# read / write on /dev/device-mapper to map / unmap devices
+allow update_engine_common dm_device:chr_file rw_file_perms;
+
+# apply / verify updates on devices mapped via device mapper
+allow update_engine_common dm_device:blk_file rw_file_perms;
+
+# read / write metadata on super device to resize partitions
+allow update_engine_common super_block_device:blk_file rw_file_perms;