diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
index 3dfb8a6490426a3d2a029f5cc84e9f301cefc94d..5d919710e4994d5d2b7e4f025f7933fb8abc22dc 100644
--- a/prebuilts/api/28.0/private/file_contexts
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -515,6 +515,12 @@
 # LocalTransport (backup) uses this subtree
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
+#############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
index 735524e0c327097648a9bebf50eb6e36b8f38f72..dafc06f99bb85f5b0ff568b3af12e8324fd45e87 100644
--- a/prebuilts/api/28.0/public/init.te
+++ b/prebuilts/api/28.0/public/init.te
@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###
diff --git a/private/file_contexts b/private/file_contexts
index 3dfb8a6490426a3d2a029f5cc84e9f301cefc94d..5d919710e4994d5d2b7e4f025f7933fb8abc22dc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -515,6 +515,12 @@
 # LocalTransport (backup) uses this subtree
 /data/cache/backup(/.*)?	u:object_r:cache_private_backup_file:s0
 
+#############################
+# Metadata files
+#
+/metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
diff --git a/public/init.te b/public/init.te
index 735524e0c327097648a9bebf50eb6e36b8f38f72..dafc06f99bb85f5b0ff568b3af12e8324fd45e87 100644
--- a/public/init.te
+++ b/public/init.te
@@ -477,6 +477,10 @@ allow init system_data_file:lnk_file r_file_perms;
 # For init to be able to run shell scripts from vendor
 allow init vendor_shell_exec:file execute;
 
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
 ###
 ### neverallow rules
 ###