diff --git a/common/private/recovery.te b/common/private/recovery.te
index 007b8ba..83ce43f 100644
--- a/common/private/recovery.te
+++ b/common/private/recovery.te
@@ -6,9 +6,12 @@ permissive recovery;
 # Volume manager
 allow recovery block_device:dir create_dir_perms;
 allow recovery block_device:blk_file create_file_perms;
-allow recovery self:capability mknod;
+allow recovery self:capability { mknod fsetid };
 allow recovery proc_filesystems:file r_file_perms;
 allow recovery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow recovery sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
 allow recovery tmpfs:file link;
+allow recovery rootfs:dir w_dir_perms;
+allow recovery rootfs:file { create_file_perms link };
+allow recovery media_rw_data_file:dir r_dir_perms;
 ')