diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 78e7b74f1cdc3b9f47409b83c68f2d81e58bc542..a587b4df5e80438f5be55c40db9ab2395980e870 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -476,7 +476,8 @@
     proc_uid_concurrent_policy_time
     proc_uptime
     proc_version
-    proc_vmallocinfo))
+    proc_vmallocinfo
+    proc_vmstat))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
diff --git a/private/domain.te b/private/domain.te
index 6fef2797536d7f00ac58cb33162bd35bc01240ea..f66185d75553a3981da759550c0d2bf14ffeb620 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,9 +25,7 @@ full_treble_only(`
   neverallow {
     coredomain
     -dumpstate
-    -platform_app
     -priv_app
-    -system_app
     -vold
     -vendor_init
   } proc:file no_rw_file_perms;
@@ -38,7 +36,6 @@ full_treble_only(`
     -dumpstate
     -init
     -priv_app
-    -system_app
     -ueventd
     -vold
     -vendor_init
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6be0ff32b7a016d168982943c3d5eb188047d023..1fddb6eb56b459f1df43b1f23ee1cb408859857f 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -79,6 +79,7 @@ genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_
 genfscon proc /uptime u:object_r:proc_uptime:s0
 genfscon proc /version u:object_r:proc_version:s0
 genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
 # selinuxfs booleans can be individually labeled.
diff --git a/private/platform_app.te b/private/platform_app.te
index 2596a8e1686685dbed3e95b7179ea175ac932c13..67a9c33177bc3fe3ccc999659ade20d2ed5e0e3a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,7 +41,9 @@ allow platform_app vfat:file create_file_perms;
 allow platform_app rootfs:dir getattr;
 
 # com.android.captiveportallogin reads /proc/vmstat
-allow platform_app proc:file r_file_perms;
+allow platform_app {
+  proc_vmstat
+}:file r_file_perms;
 
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index c61bdd92af9a4138c19ca45ca330197a4d4cd3ee..cd697a1703c5cfe61f8e2f54033ba9bdd78c94e4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -102,12 +102,8 @@ allow system_app keystore:keystore_key {
     user_changed
 };
 
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-# settings app reads /proc/version and /proc/pagetypeinfo
+# settings app reads /proc/version
 allow system_app {
-  proc
   proc_version
 }:file r_file_perms;
 
diff --git a/public/file.te b/public/file.te
index 56b6c2fe5f780d59a00940d70eab5afdfbc062a1..d6687460c21b41a1d293b0968896a0d0db8c6994 100644
--- a/public/file.te
+++ b/public/file.te
@@ -57,6 +57,7 @@ type proc_uid_concurrent_policy_time, fs_type;
 type proc_uptime, fs_type;
 type proc_version, fs_type;
 type proc_vmallocinfo, fs_type;
+type proc_vmstat, fs_type;
 type proc_zoneinfo, fs_type;
 type selinuxfs, fs_type, mlstrustedobject;
 type cgroup, fs_type, mlstrustedobject;