diff --git a/file_contexts b/file_contexts
index 406f6a8102cb3fe51d3a0135df8986bd5455e60d..8fc29ebcbf33bb857d9fcd101c01ffb353bda267 100644
--- a/file_contexts
+++ b/file_contexts
@@ -314,4 +314,7 @@
 # external storage
 /mnt/media_rw(/.*)?         u:object_r:mnt_media_rw_file:s0
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
+/mnt/runtime_default(/.*)?  u:object_r:storage_file:s0
+/mnt/runtime_read(/.*)?     u:object_r:storage_file:s0
+/mnt/runtime_write(/.*)?    u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
diff --git a/vold.te b/vold.te
index 35134106d8282becc6bca22a8b68321324f237ef..b22436f3f30b6e11986fcf09f0e785c1c5ea2560 100644
--- a/vold.te
+++ b/vold.te
@@ -159,6 +159,10 @@ allow vold vold:key { write search setattr };
 # vold temporarily changes its priority when running benchmarks
 allow vold self:capability sys_nice;
 
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:capability sys_chroot;
+allow vold storage_file:dir mounton;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
diff --git a/zygote.te b/zygote.te
index 0dba9b6193e6a0882150107c2cd37a1f46f7fcb8..598589e92a36513fc2e943952eccfde534a6211f 100644
--- a/zygote.te
+++ b/zygote.te
@@ -53,7 +53,7 @@ allow zygote rootfs:dir mounton;
 allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M
 dontaudit zygote self:capability fsetid; # TODO: deprecated in M
 allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M
-allow zygote tmpfs:filesystem mount; # TODO: deprecated in M
+allow zygote tmpfs:filesystem { mount unmount };
 allow zygote labeledfs:filesystem remount; # TODO: deprecated in M
 
 # Allowed to create user-specific storage source if started before vold