diff --git a/private/access_vectors b/private/access_vectors
index ad4624d31365a6647d9571d952265c88c474acc1..e45d0b2afeac662bba6bc7f1fd94b0fab54591a2 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -20,6 +20,7 @@ common file
 	relabelfrom
 	relabelto
 	append
+	map
 	unlink
 	link
 	rename
@@ -46,6 +47,7 @@ common socket
 	relabelfrom
 	relabelto
 	append
+	map
 # socket-specific
 	bind
 	connect
diff --git a/public/domain.te b/public/domain.te
index ed7403bba20cf419e9031cc122358e27bdab3032..5e721438c5dc9100fca4186d031ce4dbf3a2a50a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -94,7 +94,7 @@ write_logd(domain)
 
 # System file accesses.
 allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
+allow domain system_file:file { execute read open getattr map };
 allow domain system_file:lnk_file { getattr read };
 
 # read any sysfs symlinks
diff --git a/public/global_macros b/public/global_macros
index 4ea8dc3ba1e69d65a30aab740cfbd664203b1714..bcfb68644a6057347b02fbfbf84faf01e23dec53 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -18,9 +18,9 @@ define(`ipc_class_set', `{ sem msgq shm ipc }')
 #####################################
 # Common groupings of permissions.
 #
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`w_file_perms', `{ open append write lock map }')
 define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')
diff --git a/public/te_macros b/public/te_macros
index ee19b003ed7a1c5050f86e3977002c74ff89888d..049ac8ed55b210b860be35af1c24ea9554ab2c67 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -8,10 +8,10 @@
 #
 define(`domain_trans', `
 # Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
+allow $1 $2:file { getattr open read execute map };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
+allow $3 $2:file { entrypoint open read execute getattr map };
 # New domain can send SIGCHLD to its caller.
 ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.