diff --git a/file_contexts b/file_contexts
index f6dcd26ef395e117307bb92089706cd275414d7d..80cf54547a6ab1c72bf5177d1af4196f1b897f0c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -201,6 +201,7 @@
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
+/system/bin/bspatch              u:object_r:update_engine_exec:s0
 
 #############################
 # Vendor files
diff --git a/update_engine.te b/update_engine.te
index 839d6b7110736dfb3fce6e3e9df00644a02087b7..ea7fcaff809a87996f0fc7c1ce54d0965fbf7655 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -10,6 +10,7 @@ net_domain(update_engine);
 allow update_engine self:process { setsched };
 allow update_engine self:capability { fowner sys_admin };
 allow update_engine kmsg_device:chr_file w_file_perms;
+allow update_engine update_engine_exec:file rx_file_perms;
 wakelock_use(update_engine);
 
 # Allow using persistent storage in /data/misc/update_engine.