diff --git a/sepolicy/private/mkfs.te b/sepolicy/private/mkfs.te
new file mode 100644
index 00000000..2c16520b
--- /dev/null
+++ b/sepolicy/private/mkfs.te
@@ -0,0 +1,9 @@
+type mkfs, coredomain, domain;
+type mkfs_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mkfs)
+
+# Allow formatting userdata or cache partitions
+allow mkfs block_device:dir search;
+allow mkfs userdata_block_device:blk_file rw_file_perms;
+allow mkfs cache_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/private/recovery.te b/sepolicy/private/recovery.te
new file mode 100644
index 00000000..2b6f7fa7
--- /dev/null
+++ b/sepolicy/private/recovery.te
@@ -0,0 +1,20 @@
+recovery_only(`
+userdebug_or_eng(`
+permissive recovery;
+')
+
+# Volume manager
+allow recovery block_device:dir create_dir_perms;
+allow recovery block_device:blk_file { create unlink rw_file_perms };
+allow recovery self:capability { mknod fsetid };
+allow recovery proc_filesystems:file r_file_perms;
+allow recovery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow recovery sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
+allow recovery tmpfs:file link;
+allow recovery rootfs:dir w_dir_perms;
+allow recovery rootfs:file { create_file_perms link };
+allow recovery media_rw_data_file:dir r_dir_perms;
+
+# Read fbe encryption info
+r_dir_file(recovery, unencrypted_data_file)
+')