diff --git a/device.te b/device.te
index b2f4f1d32b5ba19cdc33ef6b7260f8da3729fca7..a120ba3243c36d7f3fdaa1fe4f2ff75b6d9edee8 100644
--- a/device.te
+++ b/device.te
@@ -93,3 +93,6 @@ type swap_block_device, dev_type;
 # Assign this type to the partition specified by the encryptable=
 # mount option in your fstab file in the entry for userdata.
 type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+type misc_block_device, dev_type;
diff --git a/domain.te b/domain.te
index 164cad0af660a9b62a9e3ec9605df33aedc503cb..7d13e3659a6746f16a7eae362ffdc9b66df6df67 100644
--- a/domain.te
+++ b/domain.te
@@ -352,8 +352,8 @@ neverallow { domain -init } default_prop:property_service set;
 
 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
 
-# No domain other than recovery can write to system.
-neverallow { domain -recovery } system_block_device:blk_file write;
+# No domain other than recovery and update_engine can write to system partition(s).
+neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
 
 # No domains other than install_recovery or recovery can write to recovery.
 neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
diff --git a/file_contexts b/file_contexts
index 42ed5ff2f9cf2f68aa85854e15a9b20ba17cc36f..69a59548a1f47df889f49c19d30cfa75939a431b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -199,6 +199,7 @@
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/update_engine        u:object_r:update_engine_exec:s0
 
 #############################
 # Vendor files
@@ -274,6 +275,7 @@
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
 # Fingerprint data
diff --git a/uncrypt.te b/uncrypt.te
index 752124ddb4ce30f6961bdb5d066bcf1b115ff4ed..93f5a274f5eb36356d603fe2187d957812a62392 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -27,6 +27,8 @@ set_prop(uncrypt, powerctl_prop)
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
 allow uncrypt block_device:blk_file w_file_perms;
+auditallow uncrypt block_device:blk_file w_file_perms;
+allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;
 
 # Access userdata block device.
diff --git a/update_engine.te b/update_engine.te
new file mode 100644
index 0000000000000000000000000000000000000000..88b0b722f6ed57bbde596a2a7bfca0a944bf6eb2
--- /dev/null
+++ b/update_engine.te
@@ -0,0 +1,27 @@
+# Domain for update_engine daemon.
+type update_engine, domain;
+type update_engine_exec, exec_type, file_type;
+type update_engine_data_file, file_type, data_file_type;
+
+init_daemon_domain(update_engine);
+net_domain(update_engine);
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:capability { fowner sys_admin };
+allow update_engine kmsg_device:chr_file w_file_perms;
+wakelock_use(update_engine);
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir { create_dir_perms };
+allow update_engine update_engine_data_file:file { create_file_perms };
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine boot_block_device:blk_file rw_file_perms;
+allow update_engine system_block_device:blk_file rw_file_perms;
+
+# Don't allow kernel module loading, just silence the logs.
+dontaudit update_engine kernel:system module_request;