diff --git a/file.te b/file.te
index bde3a53270144d4005ec21f38d7434b9089f3901..61c9be5bbb57dae814c84b1bb357237dca478815 100644
--- a/file.te
+++ b/file.te
@@ -20,6 +20,8 @@ type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
 # /sys/devices/system/cpu
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
 type inotify, fs_type, mlstrustedobject;
 type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
diff --git a/file_contexts b/file_contexts
index 1763a7b0a3732d95118e8509453a079dbfc15bb2..da9facf3197b9cefe7da07dec6197993e912af36 100644
--- a/file_contexts
+++ b/file_contexts
@@ -222,6 +222,8 @@
 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
 /sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
+/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?           u:object_r:asec_apk_file:s0
diff --git a/lmkd.te b/lmkd.te
index 0e0dedf4ccbf454d7ca498fa546c8c54a5c82653..c6d6a5516d32aa22d7c394966608791853d30ce4 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -4,3 +4,15 @@ permissive_or_unconfined(lmkd)
 type lmkd_exec, exec_type, file_type;
 
 init_daemon_domain(lmkd)
+
+allow lmkd self:capability dac_override;
+
+## Open and write to /proc/PID/oom_score_adj
+## TODO: maybe scope this down?
+r_dir_file(lmkd, appdomain)
+allow lmkd appdomain:file write;
+r_dir_file(lmkd, system_server)
+allow lmkd system_server:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+allow lmkd sysfs_lowmemorykiller:file w_file_perms;
diff --git a/system_server.te b/system_server.te
index 27dc52df004a4fe282313ab78efc2a0d9f2ad2e8..945b59bd863d304595e4f52ca09ebebd4d2c14cd 100644
--- a/system_server.te
+++ b/system_server.te
@@ -251,3 +251,8 @@ allow system_server unlabeled:file execute;
 # logd access, system_server inherit logd write socket
 # (urge is to deprecate this long term)
 allow system_server zygote:unix_dgram_socket write;
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file w_file_perms;