diff --git a/public/domain.te b/public/domain.te
index 1b7bbd4abf30f44bd89fd48c49205344feabc822..f0867a4c4b803496a4d87090620d7041b362a1df 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -600,6 +600,7 @@ neverallow {
   -init
   -uncrypt
   -update_engine
+  -vendor_init
   -vold
   -recovery
   -ueventd
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0237861a949ce133d04013280a9963e9c0df11ee..e2b7ec4821f1deb7640de588dec437ae77df4d76 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -146,6 +146,9 @@ allow vendor_init serialno_prop:file { getattr open read };
 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;
 
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
 not_compatible_property(`
     set_prop(vendor_init, {
       property_type