diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 1b502a8c..938dbc92 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -106,6 +106,11 @@
 # Block devices for the drive that holds the xbl_a and xbl_b partitions.
 /dev/block/sd[bc]1?                             u:object_r:xbl_block_device:s0
 
+# Block device for hal_bootctl
+/dev/block/sde                                  u:object_r:boot_block_device:s0
+/dev/block/sde13                                u:object_r:boot_block_device:s0
+/dev/block/sde27                                u:object_r:boot_block_device:s0
+
 # files in sysfs
 /sys/class/thermal(/.*)?                                            u:object_r:sysfs_thermal:s0
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
diff --git a/sepolicy/hal_bootctl.te b/sepolicy/hal_bootctl.te
index 06653fd0..8d7fc878 100644
--- a/sepolicy/hal_bootctl.te
+++ b/sepolicy/hal_bootctl.te
@@ -8,7 +8,7 @@ allow hal_bootctl block_device:dir r_dir_perms;
 # Edit the attributes stored in the GPT.
 allow hal_bootctl gpt_block_device:blk_file rw_file_perms;
 allow hal_bootctl ab_block_device:blk_file getattr;
-allow hal_bootctl boot_block_device:blk_file getattr;
+allow hal_bootctl boot_block_device:blk_file rw_file_perms;
 allow hal_bootctl modem_block_device:blk_file getattr;
 allow hal_bootctl system_block_device:blk_file getattr;
 
diff --git a/sepolicy/update_engine_common.te b/sepolicy/update_engine_common.te
index a079659c..e4fab515 100644
--- a/sepolicy/update_engine_common.te
+++ b/sepolicy/update_engine_common.te
@@ -4,5 +4,5 @@ allow update_engine_common xbl_block_device:blk_file rw_file_perms;
 allow update_engine_common ab_block_device:blk_file rw_file_perms;
 allow update_engine_common modem_block_device:blk_file rw_file_perms;
 
-allow update_engine_common postinstall_mnt_dir:dir getattr;
+allow update_engine_common postinstall_mnt_dir:dir r_dir_perms;
 allow update_engine_common tmpfs:lnk_file r_file_perms;