diff --git a/fsck.te b/fsck.te
index 22ff7b1a9130ca68aac49834b8501f859f3cdca2..ab4ee3120794d9b5b722370371e734f796cf2e58 100644
--- a/fsck.te
+++ b/fsck.te
@@ -16,6 +16,21 @@ allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+}:blk_file no_rw_file_perms;
+
 # Only allow entry from init via the e2fsck binary.
 neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;