diff --git a/app.te b/app.te
index f6b730c3f7f2343e2c72ecf76e7e2c22c2329129..83bb78c4a34323cb432607f3118498cef9349ed9 100644
--- a/app.te
+++ b/app.te
@@ -126,6 +126,7 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 # For legacy unlabeled userdata on existing devices.
 # See discussion of Unlabeled files in domain.te for more information.
 allow appdomain unlabeled:file x_file_perms;
+auditallow appdomain unlabeled:file x_file_perms;
 
 ###
 ### CTS-specific rules
diff --git a/domain.te b/domain.te
index a3919865d46bd65169687188dfcd682a83659f8e..1adf35e0c31ced74491ed182949de109e66aa490 100644
--- a/domain.te
+++ b/domain.te
@@ -158,6 +158,9 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow kernel unlabeled:dir ~search;
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 
 ###