diff --git a/app.te b/app.te
index 902200181e43ddac5933a2a1853b413270d85ce6..be47ca55745cc4732fe0b9bfd704eda2bbc9a723 100644
--- a/app.te
+++ b/app.te
@@ -263,8 +263,9 @@ neverallow appdomain { domain -appdomain }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
-# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } { domain -appdomain }:process
+# Exception for the shell domain and the su domain, can transition to runas,
+# etc.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
     { transition dyntransition };
 
 # Write to rootfs.
diff --git a/dumpstate.te b/dumpstate.te
index ad4f2380874a5376788e9eca244cd94056e55a22..876eaca03614e13746602cc09c333415fb5d39fb 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -6,8 +6,9 @@ init_daemon_domain(dumpstate)
 net_domain(dumpstate)
 binder_use(dumpstate)
 
-# Drop privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid };
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid sys_resource };
 
 # Allow dumpstate to scan through /proc/pid for all processes
 r_dir_file(dumpstate, domain)
@@ -119,3 +120,5 @@ allow dumpstate {
 }:service_manager find;
 
 allow dumpstate servicemanager:service_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/su.te b/su.te
index c42e4a720355d9ce05fbb0041b5fce1d83af289a..dab52103ccd67c2ef78bca334a54a7a9ef136335 100644
--- a/su.te
+++ b/su.te
@@ -12,6 +12,10 @@ userdebug_or_eng(`
   # additional information.
   domain_auto_trans(dumpstate, su_exec, su)
 
+  # Make sure that dumpstate runs the same from the "su" domain as
+  # from the "init" domain.
+  domain_auto_trans(su, dumpstate_exec, dumpstate)
+
   # su is also permissive to permit setenforce.
   permissive su;