diff --git a/watchdogd.te b/watchdogd.te
index 9af871cdd800c3a00989a10362a9e9a9c05ef025..33609e47f5626bff0cca4a70ac9f8581ec4d64e9 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,4 +1,11 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-unconfined_domain(watchdogd)
-allow watchdogd rootfs:file entrypoint;
+permissive watchdogd;
+allow watchdogd rootfs:file { entrypoint r_file_perms };
+allow watchdogd self:capability mknod;
+allow watchdogd device:dir { add_name write remove_name };
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+# because of /dev/__kmsg__ and /dev/__null__
+write_klog(watchdogd)
+type_transition watchdogd device:chr_file null_device "__null__";
+allow watchdogd null_device:chr_file { create unlink };