diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 43f11357b02fc0bddf698c8309c444ea4c87921f..815141a19a8ca41ef6f4880f3799df5ace84dd4c 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -253,7 +253,7 @@ auditallow {
   -surfaceflinger
   -system_server
   -zygote
-} cgroup:dir r_dir_perms;
+} cgroup:dir { open getattr read ioctl lock }; # search granted to domain
 auditallow {
   domain_deprecated
   -appdomain
@@ -267,7 +267,21 @@ auditallow {
   -surfaceflinger
   -system_server
   -zygote
-} cgroup:{ file lnk_file } r_file_perms;
+} cgroup:file { getattr read ioctl }; # open and lock granted to domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:lnk_file r_file_perms;
 auditallow {
   domain_deprecated
   -appdomain