diff --git a/installd.te b/installd.te
index f8d30b779486e13c9a120a5cd4b30f714400072b..db7653136c0de9ae0f8e74862b65126ea1050109 100644
--- a/installd.te
+++ b/installd.te
@@ -17,6 +17,7 @@ allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 allow installd download_file:dir { r_dir_perms };
+allow installd download_file:file { r_file_perms };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/netd.te b/netd.te
index f98be3d3c15405230c7226f874ecad190a5a2f95..0cd087246a80138405a9c047a2bba3983d11d08f 100644
--- a/netd.te
+++ b/netd.te
@@ -3,7 +3,7 @@ type netd, domain;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:capability { net_admin net_raw kill fsetid };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;