diff --git a/public/domain.te b/public/domain.te
index db0c8cbb7d859214e5505adb8895e6825c88c78e..e9bdb6deccca2e99321a899c368733e400e41477 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -292,8 +292,9 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 # All domains must clearly enumerate what ioctls they use
-# on plain files and directories
-allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets)
+allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };
 
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required