diff --git a/public/domain.te b/public/domain.te
index 1fb648bbe985a3e591678714a8cfb3a6b84c341f..8cfb87d24bfa1af33bbba94e16edf3e7006d4bcb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -994,7 +994,7 @@ neverallow {
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
 
 # Only allow filesystem caps to be set at build time or
 # during upgrade by recovery.
diff --git a/public/modprobe.te b/public/modprobe.te
index ca0657f88485f2aa4ed1f79bcd5f7f7f6aca0ded..24a6b3b6379c4d366d56432956c022fea95d4423 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -6,4 +6,5 @@ recovery_only(`
   allow modprobe rootfs:system module_load;
   allow modprobe rootfs:file r_file_perms;
 ')
-allow modprobe system_file:system module_load;
+allow modprobe { system_file vendor_file }:system module_load;
+r_dir_file(modprobe, { system_file vendor_file })