diff --git a/legacy/whitechapel_pro/e2fs.te b/legacy/whitechapel_pro/e2fs.te
deleted file mode 100644
index 3e72adfb..00000000
--- a/legacy/whitechapel_pro/e2fs.te
+++ /dev/null
@@ -1,8 +0,0 @@
-allow e2fs persist_block_device:blk_file rw_file_perms;
-allow e2fs efs_block_device:blk_file rw_file_perms;
-allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
-allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
-  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
-allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
diff --git a/legacy/whitechapel_pro/fastbootd.te b/legacy/whitechapel_pro/fastbootd.te
deleted file mode 100644
index 5945ef24..00000000
--- a/legacy/whitechapel_pro/fastbootd.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# Required by the bootcontrol HAL for the 'set_active' command.
-recovery_only(`
-allow fastbootd devinfo_block_device:blk_file rw_file_perms;
-allow fastbootd sda_block_device:blk_file rw_file_perms;
-allow fastbootd sysfs_ota:file rw_file_perms;
-allow fastbootd citadel_device:chr_file rw_file_perms;
-allow fastbootd st54spi_device:chr_file rw_file_perms;
-')
diff --git a/legacy/whitechapel_pro/init.te b/legacy/whitechapel_pro/init.te
index 55441c21..d987ac64 100644
--- a/legacy/whitechapel_pro/init.te
+++ b/legacy/whitechapel_pro/init.te
@@ -1,14 +1,3 @@
-allow init mnt_vendor_file:dir mounton;
-allow init custom_ab_block_device:lnk_file relabelto;
-
-# This is needed for chaining a boot partition vbmeta
-# descriptor, where init will probe the boot partition
-# to read the chained vbmeta in the first-stage, then
-# relabel /dev/block/by-name/boot_[a|b] to block_device
-# after loading sepolicy in the second stage.
-allow init boot_block_device:lnk_file relabelto;
-
-allow init persist_file:dir mounton;
 allow init ram_device:blk_file w_file_perms;
 allow init sysfs_scsi_devices_0000:file w_file_perms;
 
diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te
index 3fd6637b..1be126be 100644
--- a/tracking_denials/permissive.te
+++ b/tracking_denials/permissive.te
@@ -1,4 +1,5 @@
 userdebug_or_eng(`
   permissive pixelstats_vendor;
   permissive logger_app;
+  permissive fastbootd;
 ')
diff --git a/vendor/init.te b/vendor/init.te
new file mode 100644
index 00000000..94230f4a
--- /dev/null
+++ b/vendor/init.te
@@ -0,0 +1,12 @@
+allow init mnt_vendor_file:dir mounton;
+allow init custom_ab_block_device:lnk_file relabelto;
+
+# This is needed for chaining a boot partition vbmeta
+# descriptor, where init will probe the boot partition
+# to read the chained vbmeta in the first-stage, then
+# relabel /dev/block/by-name/boot_[a|b] to block_device
+# after loading sepolicy in the second stage.
+allow init boot_block_device:lnk_file relabelto;
+
+allow init persist_file:dir mounton;
+
diff --git a/legacy/whitechapel_pro/update_engine.te b/vendor/update_engine.te
similarity index 70%
rename from legacy/whitechapel_pro/update_engine.te
rename to vendor/update_engine.te
index a403d9e4..b4f3cf8c 100644
--- a/legacy/whitechapel_pro/update_engine.te
+++ b/vendor/update_engine.te
@@ -1,3 +1,2 @@
 allow update_engine custom_ab_block_device:blk_file rw_file_perms;
 allow update_engine modem_block_device:blk_file rw_file_perms;
-allow update_engine proc_bootconfig:file r_file_perms;