diff --git a/public/domain.te b/public/domain.te
index 89f16355c045d913653d6a07b113c4a2c600b433..0a838a3d4f25b89abd3591b7dce7f881c26e50f3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -474,7 +474,18 @@ neverallow domain device:chr_file { open read write };
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
 # this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow {
+    domain
+    -apexd
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
+    -init
+    -kernel
+    -otapreopt_chroot
+    -recovery
+    -update_engine
+    -vold
+    -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
 
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -509,6 +520,7 @@ neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_p
 neverallow {
     domain
     with_asan(`-asan_extract')
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
 } {
     system_file_type
     vendor_file_type
@@ -532,7 +544,8 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto;
 # the write to /system restriction above is not bypassed via context=
 # mount to another type.
 neverallow * contextmount_type:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
+    { create setattr relabelfrom relabelto append link rename };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
 
 # Do not allow service_manager add for default service labels.
 # Instead domains should use a more specific type such as
diff --git a/public/fastbootd.te b/public/fastbootd.te
index fe1005e4df3b8642e4471a570aad4b91d7b58570..4b79b6446183bf36b0ea4a915dc0cce8ad4a9233 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -62,6 +62,27 @@ recovery_only(`
   allow fastbootd proc_cmdline:file r_file_perms;
   allow fastbootd rootfs:dir r_dir_perms;
   allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+
+  userdebug_or_eng(`
+    # Refined manipulation of /mnt/scratch, without these perms resorts
+    # to deleting scratch partition when partition(s) are flashed.
+    allow fastbootd self:process setfscreate;
+    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+    allow fastbootd {
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:dir { remove_name rmdir search write };
+    allow fastbootd {
+      overlayfs_file
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:{ file lnk_file } unlink;
+    allow fastbootd tmpfs:dir rw_dir_perms;
+    allow fastbootd labeledfs:filesystem { mount unmount };
+    get_prop(fastbootd, persistent_properties_ready_prop)
+  ')
 ')
 
 ###