diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 7c735f2da46fd810f1b2c98a320a31d5cc5eb604..69602c3a1558b0731ef743efff902660e4cbda19 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -256,7 +256,7 @@ auditallow {
   -surfaceflinger
   -system_server
   -zygote
-} cgroup:dir r_dir_perms;
+} cgroup:dir { open getattr read ioctl lock }; # search granted to domain
 auditallow {
   domain_deprecated
   -appdomain
@@ -270,7 +270,21 @@ auditallow {
   -surfaceflinger
   -system_server
   -zygote
-} cgroup:{ file lnk_file } r_file_perms;
+} cgroup:file { getattr read ioctl }; # open and lock granted to domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:lnk_file r_file_perms;
 auditallow {
   domain_deprecated
   -appdomain