diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 819b7a31b4bbd1621ceb6d49c4d97e4889be1dea..a7d3bf3987611869fc3abda130c1392d241a305c 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -7,6 +7,7 @@ allow update_engine_common block_device:dir search;
 # Allow read/write on system and boot partitions.
 allow update_engine_common boot_block_device:blk_file rw_file_perms;
 allow update_engine_common system_block_device:blk_file rw_file_perms;
+allowxperm update_engine_common { boot_block_device system_block_device }:blk_file ioctl { BLKROGET BLKROSET };
 
 # Allow to set recovery options in the BCB. Used to trigger factory reset when
 # the update to an older version (channel change) or incompatible version