diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7769b65b6bb76e3947f234e425486cca6062df06..ae0d4e71c3bf95ec208d439724d67ad7e8004f1d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -109,6 +109,7 @@
     usbd_tmpfs
     vendor_init
     vendor_shell
+    vold_metadata_file
     vold_prepare_subdirs
     vold_prepare_subdirs_exec
     vold_service
diff --git a/private/e2fs.te b/private/e2fs.te
deleted file mode 100644
index 2c4c0139808e8350186321c6a4544980617f5b05..0000000000000000000000000000000000000000
--- a/private/e2fs.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow e2fs devpts:chr_file { read write };
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-
diff --git a/public/e2fs.te b/public/e2fs.te
index a95512128e6d52b128f736a74c828420fd3d58d6..6fcd0c2fb8791f16ae3216a2e510dcdf732cd4e0 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,9 +1,12 @@
 type e2fs, domain, coredomain;
 type e2fs_exec, exec_type, file_type;
 
-allow e2fs block_device:blk_file getattr;
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
 allow e2fs block_device:dir search;
 allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
 
 allow e2fs {
   proc_filesystems
@@ -12,6 +15,7 @@ allow e2fs {
 }:file r_file_perms;
 
 # access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
 allow e2fs sysfs_fs_ext4_features:file r_file_perms;
 
 # access sselinux context files
diff --git a/public/file.te b/public/file.te
index 932ecbf8b9703851f7385b383e586c0ca09e0e5a..f45de90cb94be5594297cd55e9ef92c1f4455d7a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -149,6 +149,9 @@ type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
 
+# /metadata subdirectories
+type vold_metadata_file, file_type;
+
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c56b45cc6d44f390f0db365317cfbbe3d9b12fd0..dbb20fd7bf025e1eab684490b430d5f7523463a3 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -38,6 +38,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init {
@@ -48,6 +49,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -57,6 +59,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -66,6 +69,7 @@ allow vendor_init {
   -system_file
   -unlabeled
   -vendor_file_type
+  -vold_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -74,6 +78,7 @@ allow vendor_init {
   -exec_type
   -system_file
   -vendor_file_type
+  -vold_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index a490e0643e89fd417aba7cda5adc050a97032d35..0107ebd4cd8e30f189cb756170ee5c7bd57eaa95 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -172,6 +172,10 @@ allow vold proc_drop_caches:file w_file_perms;
 allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;
 
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
 # linux keyring configuration
 allow vold init:key { write search setattr };
 allow vold vold:key { write search setattr };
@@ -198,10 +202,48 @@ allow vold user_profile_data_file:dir create_dir_perms;
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;
 
-neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
-neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
+neverallow {
+    domain
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+    domain
+    -init
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+    domain
+    -init
+    -vendor_init
+    -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+    domain
+    -kernel
+    -vold
+    -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -vold
+    -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -kernel
+    -vold
+    -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
 # Only system_server and vdc can interact with vold over binder