diff --git a/domain.te b/domain.te
index f940b383..86dabe37 100644
--- a/domain.te
+++ b/domain.te
@@ -295,7 +295,7 @@ neverallow { domain -recovery } rootfs:file { create write setattr relabelto app
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
-neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
+neverallow domain {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto;
 
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=
diff --git a/file.te b/file.te
index 112406be..dcd0a377 100644
--- a/file.te
+++ b/file.te
@@ -31,6 +31,7 @@ type shm, fs_type;
 type mqueue, fs_type;
 type fuse, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_posix, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;
diff --git a/vold.te b/vold.te
index 0247bfea..2f1e45c5 100644
--- a/vold.te
+++ b/vold.te
@@ -13,6 +13,7 @@ allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
 allow vold sdcard_type:dir mounton;
 allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_posix:filesystem { relabelto relabelfrom };
 allow vold sdcard_type:dir create_dir_perms;
 allow vold sdcard_type:file create_file_perms;
 allow vold tmpfs:filesystem { mount unmount };