diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 3c296ccfdda98f15f0d5d3fd53a226485b48c1a8..e6760c94f7346e741fef6e8f74136317f334dcf3 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -119,37 +119,6 @@ auditallow {
 } apk_data_file:lnk_file r_file_perms;
 ')
 
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -recovery
-  -system_server
-  -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -recovery
-  -system_server
-  -vold
-} cache_file:dir getattr;
-auditallow {
-  domain_deprecated
-  -recovery
-  -system_server
-  -vold
-} cache_file:file { getattr read };
-auditallow {
-  domain_deprecated
-  -system_server
-  -vold
-} cache_file:lnk_file r_file_perms;
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index ef1289c325c91e64adb3bac1a391a56a76ab5376..6d3ee106d20216810572847a4abe9a51679cf4da 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
 
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 8e454cc0e49a980b7a08e774a9e6366e5a1a006f..fb0284f0eab9752f9e038262fde0d387a87b63ed 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,6 +24,8 @@ allow update_engine_common postinstall_file:file rx_file_perms;
 allow update_engine_common postinstall_file:lnk_file r_file_perms;
 allow update_engine_common postinstall_file:dir r_dir_perms;
 
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
 
 # A postinstall program is typically a shell script (with a #!), so we allow
 # to execute those.