diff --git a/zygote.te b/zygote.te
index 6fb17251a0b32cca3d45b90dcf3050c142fe7f10..9a5bc4b67bf55042372b4124d425abb0cacffc5b 100644
--- a/zygote.te
+++ b/zygote.te
@@ -11,6 +11,9 @@ allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
 allow zygote system:process dyntransition;
 allow zygote appdomain:process dyntransition;
+# Allow zygote to read app data dirs (b/10455872)
+allow zygote appdomain:dir search;
+allow zygote appdomain:file { r_file_perms };
 # Move children into the peer process group.
 allow zygote system:process { getpgid setpgid };
 allow zygote appdomain:process { getpgid setpgid };