diff --git a/public/domain.te b/public/domain.te
index 9993f2fe195dc11ebdb818fdd3b11813380b8d2f..e2c71da6165666d9fb63a719457c9a6490bf24f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,7 +378,7 @@ neverallow {
   -system_server
   -shell # Shell is further restricted in shell.te
   -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file rw_file_perms;
+} frp_block_device:blk_file no_rw_file_perms;
 
 # The metadata block device is set aside for device encryption and
 # verified boot metadata. It may be reset at will and should not
diff --git a/public/fsck.te b/public/fsck.te
index 2f0a838e2f68025f7a7b8aeda9aa925ee1b14b6e..8f3b17a4ad5b3132803b1d38a6011a2e88803a78 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,9 +19,16 @@ allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
 
-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
 
 r_dir_file(fsck, proc)
 allow fsck rootfs:dir r_dir_perms;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 98806dd1fb9450eb00c56a0be6b0d2a6cbc7018b..a9dd8055a6ea9112f157f4999be5f936b2105c66 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -14,6 +14,17 @@ allow fsck_untrusted vold_device:blk_file rw_file_perms;
 
 r_dir_file(fsck_untrusted, proc)
 
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
 ###
 ### neverallow rules
 ###