diff --git a/device.te b/device.te
index 42d15e3bb91463463610450d7f7efb5a13988eed..94813c20e242d35548315073f3409f965b647a49 100644
--- a/device.te
+++ b/device.te
@@ -65,5 +65,5 @@ type rpmsg_device, dev_type;
 # Partition layout block device
 type root_block_device, dev_type;
 
-# Persistent data block device
-type persistent_data_block_device, dev_type;
+# factory reset protection block device
+type frp_block_device, dev_type;
diff --git a/domain.te b/domain.te
index ba4c65ac007da55a511d7446207f055a5c4262f0..74aa9c5e56eb58d2cf26db2b7fc48c37adbc2851 100644
--- a/domain.te
+++ b/domain.te
@@ -307,3 +307,5 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set
 # New service_types are defined in service.te and new mappings
 # from service name to service_type are defined in service_contexts.
 neverallow domain default_android_service:service_manager add;
+
+neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index de0408827e5bb360efbe38afbf3d3f36356bec8e..e55a43551c5e62074bb922ad753a4cfd0b192e58 100644
--- a/system_server.te
+++ b/system_server.te
@@ -382,10 +382,10 @@ allow system_server keystore:keystore_key {
 	password_uid
 };
 
-# Allow system server to search and write to the persistent data block device
-# This block device does not get wiped in a factory reset.
-allow system_server persistent_data_block_device:blk_file rw_file_perms;
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };