diff --git a/app.te b/app.te
index f6b730c3f7f2343e2c72ecf76e7e2c22c2329129..83bb78c4a34323cb432607f3118498cef9349ed9 100644
--- a/app.te
+++ b/app.te
@@ -126,6 +126,7 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 # For legacy unlabeled userdata on existing devices.
 # See discussion of Unlabeled files in domain.te for more information.
 allow appdomain unlabeled:file x_file_perms;
+auditallow appdomain unlabeled:file x_file_perms;
 
 ###
 ### CTS-specific rules
diff --git a/domain.te b/domain.te
index 57a5b504a477bd0388fdc7f8ca4b5a44e901e344..f61fd16340e75703c56cfb4b9d4659eabff05b74 100644
--- a/domain.te
+++ b/domain.te
@@ -154,6 +154,9 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow kernel unlabeled:dir ~search;
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 
 ###