diff --git a/installd.te b/installd.te
index 3c43b05ecec45f07da2100d17db01e4622082f0d..fae130a72dbfdde2fe2c94e9e055173116627821 100644
--- a/installd.te
+++ b/installd.te
@@ -11,11 +11,12 @@ allow installd system_data_file:lnk_file create;
 allow installd dalvikcache_data_file:file create_file_perms;
 allow installd data_file_type:dir create_dir_perms;
 allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file lnk_file } { getattr unlink };
+allow installd data_file_type:{ file lnk_file sock_file } { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd download_file:dir { read getattr };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/zygote.te b/zygote.te
index 87f72bfbe7129c259b46c706504f887d3f6514a6..5b6162fe040b5bd15b8dc224b5bc26357343f282 100644
--- a/zygote.te
+++ b/zygote.te
@@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid };
+allow zygote self:capability { dac_override setgid setuid fowner };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.