diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 046394e0d5ea54e81c52ca7a9e21849241f82565..fc77b11a163355f527ddb5f71740442a338c6787 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -1,24 +1,5 @@
 # rules removed from the domain attribute
 
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -sdcardd
-  -system_server
-  -tee
-} system_data_file:file { getattr read };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -system_server
-  -tee
-} system_data_file:lnk_file r_file_perms;
-')
-
 # Read apk files under /data/app.
 allow domain_deprecated apk_data_file:dir { getattr search };
 allow domain_deprecated apk_data_file:file r_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 939a4810ac088dd3c76e1db1859f021cb99b8410..1ef12254a99d647ab2e23f37cd8ff6018aeca57c 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -45,7 +45,7 @@ allow installd asec_image_file:file getattr;
 # and lib symlinks before the setfilecon call.  May want to
 # move symlink creation after setfilecon in installd.
 allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
+allow installd system_data_file:lnk_file { create getattr setattr unlink };
 
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
diff --git a/public/runas.te b/public/runas.te
index 12c418100bc4659259f3ae8f5ac75a1f5270c4da..b8092ae6f613506fa9679d9772b59ab3048c110e 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -12,6 +12,7 @@ allow runas shell_data_file:file { read write };
 
 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
 
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
diff --git a/public/vold.te b/public/vold.te
index 81ee28c479dbb49039cbd22d58bc2289898ebe52..bb2b3d7899d94655df2447c0b7d99564298073b4 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -104,6 +104,10 @@ allow vold efs_file:file rw_file_perms;
 
 # Create and mount on /data/tmp_mnt and management of expansion mounts
 allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:lnk_file getattr;
+
+# for secdiscard
+allow vold system_data_file:file read;
 
 # Set scheduling policy of kernel processes
 allow vold kernel:process setsched;