diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 3931468b2bf286e0c0dfc0000cbdd8a25daa953f..ccc335206cd48ad0fd61057ed36b0d6fee634c1a 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -9,8 +9,16 @@ allow update_engine_common boot_block_device:blk_file rw_file_perms;
 allow update_engine_common system_block_device:blk_file rw_file_perms;
 
 # Where ioctls are granted via standard allow rules to block devices,
-# automatically allow BLKROGET and BLKROSET.
-allowxperm update_engine_common dev_type:blk_file ioctl { BLKROGET BLKROSET };
+# automatically allow common ioctls that are generally needed by
+# update_engine.
+allowxperm update_engine_common dev_type:blk_file ioctl {
+  BLKDISCARD
+  BLKDISCARDZEROES
+  BLKROGET
+  BLKROSET
+  BLKSECDISCARD
+  BLKZEROOUT
+};
 
 # Allow to set recovery options in the BCB. Used to trigger factory reset when
 # the update to an older version (channel change) or incompatible version