diff --git a/domain.te b/domain.te
index 6d755a75c39350a6b7a8d799171898d0c5ab6911..13b977a9a55ec79ac6a9725d78459ebcb9fec36f 100644
--- a/domain.te
+++ b/domain.te
@@ -183,3 +183,7 @@ neverallow domain init:process ptrace;
 # Init can't receive binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow domain init:binder call;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };