diff --git a/private/vold.te b/private/vold.te
index a6d1001d1d48325e4fff25e4c15d888023ae297a..dea24a576fd4bf40d0c5a00409314d0af5013ccb 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -8,8 +8,8 @@ domain_auto_trans(vold, sdcardd_exec, sdcardd);
 
 # For a handful of probing tools, we choose an even more restrictive
 # domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, blkid_exec, blkid);
+domain_trans(vold, blkid_exec, blkid_untrusted);
 domain_trans(vold, fsck_exec, fsck);
 domain_trans(vold, fsck_exec, fsck_untrusted);
 
diff --git a/public/vold.te b/public/vold.te
index 69947768be57f5200925c1545e3320a8e74a259b..0f5fb0fcb56f261d32f57a4e52e1ff8854d7335c 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -31,9 +31,6 @@ allow vold file_contexts_file:file r_file_perms;
 # Allow us to jump into execution domains of above tools
 allow vold self:process setexec;
 
-# For sgdisk launched through popen()
-allow vold shell_exec:file rx_file_perms;
-
 # For formatting adoptable storage devices
 allow vold e2fs_exec:file rx_file_perms;