diff --git a/app.te b/app.te
index 9f68327addabe753b024ae5b278894d89bc14487..8bc138d6302b499715a83a41d9d582ef2f28e1b2 100644
--- a/app.te
+++ b/app.te
@@ -212,6 +212,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
 ###
 ### CTS-specific rules
 ###
diff --git a/file.te b/file.te
index 88d997c9feb46dac8e0c75e6ed3f3025d439c46b..685cfe0845c28a828c8ffe5c461496f506238e7c 100644
--- a/file.te
+++ b/file.te
@@ -50,6 +50,7 @@ type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
 
 # File types
 type unlabeled, file_type;
@@ -173,6 +174,8 @@ type security_file, file_type;
 type bluetooth_efs_file, file_type;
 # Type for fingerprint template file.
 type fingerprintd_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type;
 
 # Socket types
 type adbd_socket, file_type;
@@ -215,6 +218,7 @@ allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
 
 # It's a bug to assign the file_type attribute and fs_type attribute
 # to any type. Do not allow it.
diff --git a/mediaserver.te b/mediaserver.te
index a54e198f47f263d29b4a0a251e59deb602f9f5d8..38c0af2002824ff344d85ef92eb3e2f8a392d13b 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -66,6 +66,9 @@ r_dir_file(mediaserver, media_rw_data_file)
 allow mediaserver audio_data_file:dir ra_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;
 
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;
diff --git a/priv_app.te b/priv_app.te
index 9c43ec21f9bd324ac1243130f284bc0386ad1063..59c599c41ddc950a1f772c79e39f905b673cf4a3 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -71,6 +71,8 @@ allow priv_app exec_type:file getattr;
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
+allow priv_app app_fuse_file:dir rw_dir_perms;
+allow priv_app app_fuse_file:file rw_file_perms;
 
 # /sys access
 allow priv_app sysfs_zram:dir search;
diff --git a/vold.te b/vold.te
index 67e461a25db9a665a0925b7cfca7a3032477bd12..9a1ccfe3a008ad0966674affc9d1338a5c87a357 100644
--- a/vold.te
+++ b/vold.te
@@ -174,6 +174,9 @@ allow vold storage_file:dir mounton;
 
 # For AppFuse.
 allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
 
 # coldboot of /sys/block
 allow vold sysfs_zram:dir r_dir_perms;