diff --git a/domain.te b/domain.te
index b2117db1aa4746d7921e6aa1acf218b9e19b15f7..2922da6835c0c066230284bdfea3da29ac793a1f 100644
--- a/domain.te
+++ b/domain.te
@@ -238,7 +238,7 @@ neverallow * init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/uncrypt.te b/uncrypt.te
index 354bda0043088e6c2fccde552b8f2a152c29c7e6..9231a4dd3df934f9d2cde902171a24b756f6d8ad 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -26,8 +26,6 @@ set_prop(uncrypt, powerctl_prop)
 
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file w_file_perms;
-auditallow uncrypt block_device:blk_file w_file_perms;
 allow uncrypt misc_block_device:blk_file w_file_perms;
 allow uncrypt block_device:dir r_dir_perms;