diff --git a/public/app.te b/public/app.te
index 370f5394ba9fc9fd8da8a1ee69e5b82eece081c2..57b76f172008ce0253e9b9c23b3665e6c088180b 100644
--- a/public/app.te
+++ b/public/app.te
@@ -252,8 +252,7 @@ allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
 allow appdomain proc_meminfo:file r_file_perms;
 
 # For app fuse.
-allow appdomain app_fuse_file:dir rw_dir_perms;
-allow appdomain app_fuse_file:file rw_file_perms;
+allow appdomain app_fuse_file:file { getattr read append write };
 
 ###
 ### CTS-specific rules
diff --git a/public/system_server.te b/public/system_server.te
index f36fa9f1ba5964598a8520be6e751d42001c01f7..0e1b9c06b0e2d5c595678b9b765550469aa51144 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -559,6 +559,8 @@ userdebug_or_eng(`
 # For AppFuse.
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };