diff --git a/app.te b/app.te
index 6cc499aa3e1d99fffab32fca26e1bdd417a030d8..fa16910a53f13ac197bd8148b9b9e11bc35f287e 100644
--- a/app.te
+++ b/app.te
@@ -28,8 +28,7 @@ allow trusted_app shell_data_file:lnk_file read;
 allow trusted_app sdcard:dir create_dir_perms;
 allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
-# It would be better if this was labeled differently.
-allow trusted_app apk_data_file:file write;
+allow trusted_app apk_tmp_file:file rw_file_perms;
 
 #
 # An example of a specific domain for a specific app
diff --git a/file.te b/file.te
index dc9e768216f3f52196c46f045db48c995d73de84..a7318c4ad3d50e892873f8247c1ae2168345d0b9 100644
--- a/file.te
+++ b/file.te
@@ -29,7 +29,8 @@ type anr_data_file, file_type, data_file_type;
 # /data/tombstones - core dumps
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type;
+type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index 79a3124b12b76e3930492147fbdfb764edfbbd1b..550fa9a4e4d1250a24e06b1d24546ee98d1db1e7 100644
--- a/file_contexts
+++ b/file_contexts
@@ -106,6 +106,7 @@
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?		u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local(/.*)?	u:object_r:shell_data_file:s0
 # Misc data
diff --git a/installd.te b/installd.te
index e4b0b1828232a29f709975542d590aadf90f9591..466125ef4eabd27a61cd6b010fc026068ba341dc 100644
--- a/installd.te
+++ b/installd.te
@@ -12,6 +12,7 @@ allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
 allow installd data_file_type:file { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
+allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;
diff --git a/system.te b/system.te
index 47e1eeba129edd366cfab61189731b56ff76506e..8740c6b0f3463c67de6c5a86215782e3be8355a6 100644
--- a/system.te
+++ b/system.te
@@ -130,6 +130,13 @@ allow system qemu_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
+# Read /file_contexts.
+allow system rootfs:file r_file_perms;
+
+# Relabel apk files.
+allow system apk_tmp_file:file { relabelfrom relabelto };
+allow system apk_data_file:file { relabelfrom relabelto };
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system system_wpa_socket:sock_file create_file_perms;