diff --git a/public/domain.te b/public/domain.te
index c6fc9f831682c656d51b2fdc0c5c259e804bcbdf..5dcfdf871bfa1ab96f826954fc11f7e3fb55bed5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1391,6 +1391,7 @@ neverallow {
   coredomain
   -init
   -ueventd
+  -vold
 } mnt_vendor_file:dir *;
 
 # Only apps are allowed access to vendor public libraries.
diff --git a/public/vold.te b/public/vold.te
index 481f48c92ab049e633725e0712466e0f7e045564..1aa616b3aa5b448f38fe3c6d069f7b3378645df3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -213,6 +213,9 @@ allow vold user_profile_data_file:dir create_dir_perms;
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;
 
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
+
 neverallow {
     domain
     -vold