diff --git a/prebuilts/api/26.0/26.0.cil b/prebuilts/api/26.0/26.0.cil
index 5242b468ddaf47eb6180c54f0610d5d41089a937..4a78695ff62e0dda4e6a6160c5a2b66612a01ba6 100644
--- a/prebuilts/api/26.0/26.0.cil
+++ b/prebuilts/api/26.0/26.0.cil
@@ -645,7 +645,7 @@
 (typeattributeset usbfs_26_0 (usbfs))
 (typeattributeset usb_service_26_0 (usb_service))
 (typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (usermodehelper))
+(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
 (typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
 (typeattributeset user_service_26_0 (user_service))
 (typeattributeset vcs_device_26_0 (vcs_device))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3914cec7d03874d625d69d837f38ddc9370bbfd0..e77a39b921dac98711212b47d2dd2d5cf8c35eb8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -59,7 +59,7 @@ genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
 genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /kernel/uevent_helper u:object_r:usermodehelper:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
 genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
 genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
 genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
diff --git a/public/domain.te b/public/domain.te
index 3dae729c50c6d07f3db5c87cc1e541d682e783fc..e6c72694c594cbc498b1d1d2a391399aa7e8dfab 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -317,6 +317,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
 neverallow { domain -init } proc_security:file { append open read write };
 
 # No domain should be allowed to ptrace init.
diff --git a/public/file.te b/public/file.te
index 20aea9d12b02ba91ec1d67ef5cb177de201d844f..dfc5bcd9f88451a7c7329fc32127c997ead3a6ff 100644
--- a/public/file.te
+++ b/public/file.te
@@ -9,7 +9,8 @@ type proc_security, fs_type;
 type proc_drop_caches, fs_type;
 type proc_overcommit_memory, fs_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, sysfs_type;
+type usermodehelper, fs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_cpuinfo, fs_type;
diff --git a/public/init.te b/public/init.te
index 1903cfd74a830e8d08b9bb59b2950e9d87599c1e..e6162a9391553560e570e016a2acbf00d84607d1 100644
--- a/public/init.te
+++ b/public/init.te
@@ -252,7 +252,7 @@ allow init kernel:system syslog_mod;
 allow init self:capability2 syslog;
 
 # Set usermodehelpers and /proc security settings.
-allow init usermodehelper:file rw_file_perms;
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 
 # Write to /proc/sys/kernel/panic_on_oops.
diff --git a/public/ueventd.te b/public/ueventd.te
index da2695f148e02883355ef13b2eb1b9e210f58aef..212087e52f9e9b69b90bacedd22dff9d8f8e7bcf 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -8,15 +8,13 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
 
-r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)
-allow ueventd sysfs:file w_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
-allow ueventd sysfs_hwrandom:file w_file_perms;
-allow ueventd sysfs_zram_uevent:file w_file_perms;
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
-allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
 allow ueventd tmpfs:chr_file rw_file_perms;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };