diff --git a/app.te b/app.te
index eadf5390b39f71fece278c96b819cbcc75d14d49..1aa6b2377cc234b9fdb976af32d3b46d92787d93 100644
--- a/app.te
+++ b/app.te
@@ -137,6 +137,9 @@ allow appdomain dalvikcache_profiles_data_file:file write;
 allow appdomain shared_relro_file:dir search;
 allow appdomain shared_relro_file:file r_file_perms;
 
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:file { rx_file_perms execmod };
+
 ###
 ### CTS-specific rules
 ###
diff --git a/domain.te b/domain.te
index a53a328928f6252ecb9e5a6f1a819c17e8c286fb..20869114ef49bd49376ca92e7ed636e56f36851c 100644
--- a/domain.te
+++ b/domain.te
@@ -96,6 +96,7 @@ allow domain system_data_file:lnk_file r_file_perms;
 # Read apk files under /data/app.
 allow domain apk_data_file:dir { getattr search };
 allow domain apk_data_file:file r_file_perms;
+allow domain apk_data_file:lnk_file r_file_perms;
 
 # Read /data/dalvik-cache.
 allow domain dalvikcache_data_file:dir { search getattr };
diff --git a/installd.te b/installd.te
index f84075a4c30007eae05ef613c54cd0d09ed6943c..36f71730c79fe063f8201ec2ec2b87281802a23d 100644
--- a/installd.te
+++ b/installd.te
@@ -5,7 +5,9 @@ type installd_exec, exec_type, file_type;
 init_daemon_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd apk_data_file:file r_file_perms;
+allow installd apk_data_file:file rename;
+allow installd apk_data_file:dir create_dir_perms;
+allow installd apk_data_file:lnk_file { create read unlink };
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd oemfs:dir r_dir_perms;