diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index a7d3bf3987611869fc3abda130c1392d241a305c..3931468b2bf286e0c0dfc0000cbdd8a25daa953f 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -7,7 +7,10 @@ allow update_engine_common block_device:dir search;
 # Allow read/write on system and boot partitions.
 allow update_engine_common boot_block_device:blk_file rw_file_perms;
 allow update_engine_common system_block_device:blk_file rw_file_perms;
-allowxperm update_engine_common { boot_block_device system_block_device }:blk_file ioctl { BLKROGET BLKROSET };
+
+# Where ioctls are granted via standard allow rules to block devices,
+# automatically allow BLKROGET and BLKROSET.
+allowxperm update_engine_common dev_type:blk_file ioctl { BLKROGET BLKROSET };
 
 # Allow to set recovery options in the BCB. Used to trigger factory reset when
 # the update to an older version (channel change) or incompatible version