diff --git a/private/apexd.te b/private/apexd.te
index 32efb98823e41700f53dfda44debac37f0b5ef41..3bfc3cdaf0b8c6c05a408a0139b55383dfbf00f5 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -14,6 +14,7 @@ allow apexd apex_data_file:file rw_file_perms;
 allow apexd loop_control_device:chr_file rw_file_perms;
 # allow apexd to access loop devices
 allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl LOOP_GET_STATUS64;
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;
 
diff --git a/public/domain.te b/public/domain.te
index 355ec078ff98b4237d9b877d27bc7a8bb7e6e46d..fefca843be801422485452789eea5570d9b32107 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -310,7 +310,7 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 # All domains must clearly enumerate what ioctls they use
 # on filesystem objects (plain files, directories, symbolic links,
 # named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX };
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
 
 # Allow a process to make a determination whether a file descriptor
 # for a plain file or pipe (fifo_file) is a tty. Note that granting
@@ -319,6 +319,10 @@ allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_s
 allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
 allowxperm domain domain:fifo_file ioctl { TCGETS };
 
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
+
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required
 # TODO: consider only compiling these rules if we know the
@@ -354,7 +358,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
 
 # All ioctls on file-like objects (except chr_file and blk_file) and
 # sockets must be restricted to a whitelist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set } ioctl { 0 };
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
 
 # b/68014825 and https://android-review.googlesource.com/516535
 # rfc6093 says that processes should not use the TCP urgent mechanism
diff --git a/public/e2fs.te b/public/e2fs.te
index ea9981dd04e04de32833516ab85841356db441cb..601af16d2ab14baf91beee4524a820c53e51e076 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,6 +7,9 @@ allow e2fs dev_type:blk_file getattr;
 allow e2fs block_device:dir search;
 allow e2fs userdata_block_device:blk_file rw_file_perms;
 allow e2fs metadata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
 
 allow e2fs {
   proc_filesystems
@@ -18,5 +21,5 @@ allow e2fs {
 allow e2fs sysfs_fs_ext4_features:dir search;
 allow e2fs sysfs_fs_ext4_features:file r_file_perms;
 
-# access sselinux context files
-allow e2fs file_contexts_file:file { getattr open read };
+# access SELinux context files
+allow e2fs file_contexts_file:file r_file_perms;
diff --git a/public/fsck.te b/public/fsck.te
index 32462ea5b5ba2eb3453ccbd3aadfe2fe3d2323b4..dbbe34cdcadac5ccc7b53c23286fb8b189a2973c 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,6 +19,13 @@ allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
 
+# For the block devices where we have ioctl access,
+# allow at a minimum the following common fsck ioctls.
+allowxperm fsck dev_type:blk_file ioctl {
+  BLKDISCARDZEROES
+  BLKROGET
+};
+
 # To determine if it is safe to run fsck on a filesystem, e2fsck
 # must first determine if the filesystem is mounted. To do that,
 # e2fsck scans through /proc/mounts and collects all the mounted
diff --git a/public/init.te b/public/init.te
index 430b120ef63f6cc232110a6be8421a86d504a0ea..ad8ced9498d29c140ced5077d3572ed129931dbb 100644
--- a/public/init.te
+++ b/public/init.te
@@ -117,6 +117,7 @@ allow init self:global_capability_class_set { sys_rawio mknod };
 
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
 
 # Mounting filesystems.
 # Only allow relabelto for types used in context= mount options,
diff --git a/public/vold.te b/public/vold.te
index 8d52a31a7f165f5a9106c39fe9ef23a71618548a..7645239918aef7704ce5ecc6bd2c89a220a20766 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -99,6 +99,7 @@ allow vold self:global_capability_class_set { net_admin dac_override dac_read_se
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;