diff --git a/private/gsid.te b/private/gsid.te
index fb4052809..e6a395a4a 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -166,8 +166,6 @@ neverallow {
     -init
     -gsid
     -fastbootd
-    -recovery
-    -vold
 } gsi_metadata_file_type:dir no_w_dir_perms;
 
 neverallow {
@@ -175,7 +173,6 @@ neverallow {
     -init
     -gsid
     -fastbootd
-    -vold
 } { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
 
 neverallow {
@@ -183,7 +180,6 @@ neverallow {
     -init
     -gsid
     -fastbootd
-    -vold
 } gsi_public_metadata_file:file_class_set ~{ r_file_perms };
 
 # Prevent apps from accessing gsi_metadata_file_type.
@@ -193,15 +189,7 @@ neverallow {
     domain
     -init
     -gsid
-} gsi_data_file:dir *;
-
-neverallow {
-    domain
-    -init
-    -gsid
-    -fastbootd
-    -vold
-} gsi_data_file:file_class_set *;
+} gsi_data_file:dir_file_class_set *;
 
 neverallow {
     domain
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index a264be7e7..9f5f87ebd 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -16,12 +16,7 @@ allow lpdumpd super_block_device_type:blk_file r_file_perms;
 # Allow lpdumpd to read fstab.
 allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
 allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-
-# Triggered when lpdumpd tries to read default fstab.
-dontaudit lpdumpd metadata_file:dir r_dir_perms;
-dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
+read_fstab(lpdumpd)
 
 ### Neverallow rules
 
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 79f3b4c78..0f549c9bf 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -38,6 +38,5 @@ allow uncrypt proc_cmdline:file r_file_perms;
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
 
-# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file_type:dir search;
-dontaudit uncrypt metadata_file:dir search;
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)
diff --git a/public/update_engine.te b/public/update_engine.te
index 962ca9927..ab7090bbc 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -64,12 +64,11 @@ allow update_engine proc_misc:file r_file_perms;
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
 
+# Allow ReadDefaultFstab().
 # update_engine tries to determine the parent path for all devices (e.g.
 # /dev/block/by-name) by reading the default fstab and looking for the misc
-# device. ReadDefaultFstab() checks whether a GSI is running by checking
-# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
-# the access.
-dontaudit update_engine gsi_metadata_file_type:dir search;
+# device.
+read_fstab(update_engine)
 
 # Allow to write to snapshotctl_log logs.
 # TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 7025652bd..3bc3a9f67 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,8 +8,9 @@ allow vendor_misc_writer block_device:dir r_dir_perms;
 
 # Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
 # load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
 dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer metadata_file:dir search;
 dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
 dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)
diff --git a/public/vold.te b/public/vold.te
index d1731cc4b..5a14c44d6 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -293,9 +293,8 @@ allow vold mnt_vendor_file:dir search;
 
 dontaudit vold self:global_capability_class_set sys_resource;
 
-# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file_type:dir r_dir_perms;
-allow vold gsi_metadata_file_type:file r_file_perms;
+# Allow ReadDefaultFstab().
+read_fstab(vold)
 
 # vold might need to search loopback apex files
 allow vold vendor_apex_file:file r_file_perms;
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index ac30370c3..2b9431307 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -9,10 +9,7 @@ init_daemon_domain(hal_bootctl_default)
 allow hal_bootctl_default proc_cmdline:file r_file_perms;
 allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
 allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
-
-# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
-# a GSI-corrected fstab.
-dontaudit hal_bootctl_default metadata_file:dir search;
+read_fstab(hal_bootctl_default)
 
 # Needed for reading/writing misc partition.
 allow hal_bootctl_default block_device:dir search;