diff --git a/aoc/sepolicy/file_contexts b/aoc/sepolicy/file_contexts
index 73293f7..778de0c 100644
--- a/aoc/sepolicy/file_contexts
+++ b/aoc/sepolicy/file_contexts
@@ -34,6 +34,9 @@
 /dev/acd-chre_bt_offload_ctl        u:object_r:aoc_device:s0
 /dev/acd-chre_bt_offload_data_tx    u:object_r:aoc_device:s0
 /dev/acd-chre_bt_offload_data_rx    u:object_r:aoc_device:s0
+/dev/acd-chre_ctl                   u:object_r:aoc_device:s0
+/dev/acd-chre_data_tx               u:object_r:aoc_device:s0
+/dev/acd-chre_data_rx               u:object_r:aoc_device:s0
 
 # AoC vendor binaries
 /vendor/bin/aocd                    u:object_r:aocd_exec:s0
diff --git a/gear/dumpstate/sepolicy/hal_dumpstate_default.te b/gear/dumpstate/sepolicy/hal_dumpstate_default.te
index 06ebb75..e0f0b09 100644
--- a/gear/dumpstate/sepolicy/hal_dumpstate_default.te
+++ b/gear/dumpstate/sepolicy/hal_dumpstate_default.te
@@ -5,3 +5,8 @@ allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
 allow hal_dumpstate_default shell_data_file:file getattr;
 set_prop(hal_dumpstate_default, vendor_logger_prop)
 
+# All dumps that are executed via hal_dumpstate_default should use their
+# own domain to request their permissions to achieve compartmentalization.
+# go/pixel-bugreport has examples on how to do that.
+neverallow hal_dumpstate_default { vendor_file_type -vendor_toolbox_exec }:file execute_no_trans;
+
diff --git a/storage/init.storage.rc b/storage/init.storage.rc
index 9e4acd4..77057cd 100644
--- a/storage/init.storage.rc
+++ b/storage/init.storage.rc
@@ -1,11 +1,3 @@
-on init
-    # Make foreground and background I/O priority different. none-to-rt was
-    # introduced in kernel 5.14. promote-to-rt was introduced in kernel 6.5.
-    # Write none-to-rt first and promote-to-rt next to support both older and
-    # newer kernel versions.
-    write /dev/blkio/blkio.prio.class none-to-rt
-    write /dev/blkio/blkio.prio.class promote-to-rt
-
 on property:ro.build.type=userdebug
     write /dev/sys/block/bootdevice/pixel/enable_pixel_ufs_logging 1
     chown system /dev/sg3
@@ -44,6 +36,13 @@ on init
     write /dev/sys/block/bootdevice/clkgate_enable 0
 
 on property:sys.boot_completed=1
+    # Make foreground and background I/O priority different. none-to-rt was
+    # introduced in kernel 5.14. promote-to-rt was introduced in kernel 6.5.
+    # Write none-to-rt first and promote-to-rt next to support both older and
+    # newer kernel versions.
+    write /dev/blkio/blkio.prio.class none-to-rt
+    write /dev/blkio/blkio.prio.class promote-to-rt
+
     # Health Storage HAL
     chown system system /dev/sys/block/bootdevice/manual_gc