diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index a6a445102..f995232d5 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -41,7 +41,6 @@
     hal_wifi_supplicant_service
     locale_service
     mdns_service
-    mtectrl
     nearby_service
     proc_watermark_boost_factor
     proc_watermark_scale_factor
diff --git a/private/domain.te b/private/domain.te
index b1933308a..988bd56a0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,26 @@ allow domain linkerconfig_file:file r_file_perms;
 # Allow all processes to check for the existence of the boringssl_self_test_marker files.
 allow domain boringssl_self_test_marker:dir search;
 
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+  domain
+  userdebug_or_eng(`-domain') # exclude debuggable builds
+  -fastbootd
+  -hal_bootctl_server
+  -init
+  -uncrypt
+  -update_engine
+  -vendor_init
+  -vendor_misc_writer
+  -vold
+  -recovery
+  -ueventd
+  -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these allowlisted domains.
 neverallow {
diff --git a/private/mtectrl.te b/private/mtectrl.te
index a89edda03..436dcae55 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -1,4 +1,5 @@
 # mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
 type mtectrl_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(mtectrl)
diff --git a/public/domain.te b/public/domain.te
index fbef9fda5..50503cdc3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -611,26 +611,6 @@ neverallow {
   -update_engine
 } system_block_device:blk_file { write append };
 
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
-  domain
-  userdebug_or_eng(`-domain') # exclude debuggable builds
-  -fastbootd
-  -hal_bootctl_server
-  -init
-  -uncrypt
-  -update_engine
-  -vendor_init
-  -vendor_misc_writer
-  -vold
-  -recovery
-  -ueventd
-  -mtectrl
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
 # The service managers are only allowed to access their own device node
diff --git a/public/mtectrl.te b/public/mtectrl.te
deleted file mode 100644
index 2fb8a960c..000000000
--- a/public/mtectrl.te
+++ /dev/null
@@ -1 +0,0 @@
-type mtectrl, domain, coredomain;