diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 2db46512..2ffeb27f 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -2,3 +2,7 @@ allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
 allow hal_bootctl_default sysfs_ota:file rw_file_perms;
 allow hal_bootctl_default tee_device:chr_file rw_file_perms;
+
+recovery_only(`
+  allow hal_bootctl_default rootfs:dir r_dir_perms;
+')