diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 82534fecb027d1b49dc522805bf47902421855c7..e9337844bdb93a560ad656c7ea7ea70e299d52ea 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -109,37 +109,6 @@ auditallow {
 } apk_data_file:lnk_file r_file_perms;
 ')
 
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -recovery
-  -system_server
-  -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -recovery
-  -system_server
-  -vold
-} cache_file:dir getattr;
-auditallow {
-  domain_deprecated
-  -recovery
-  -system_server
-  -vold
-} cache_file:file { getattr read };
-auditallow {
-  domain_deprecated
-  -system_server
-  -vold
-} cache_file:lnk_file r_file_perms;
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 7ae7d396e4262f1db11f947dab49cfcbeace53b2..d10eb3916849529ef485f845e7c62918d739f83a 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
 
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 8e454cc0e49a980b7a08e774a9e6366e5a1a006f..fb0284f0eab9752f9e038262fde0d387a87b63ed 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,6 +24,8 @@ allow update_engine_common postinstall_file:file rx_file_perms;
 allow update_engine_common postinstall_file:lnk_file r_file_perms;
 allow update_engine_common postinstall_file:dir r_dir_perms;
 
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
 
 # A postinstall program is typically a shell script (with a #!), so we allow
 # to execute those.