diff --git a/adbd.te b/adbd.te
index a92d50597a1c446903961c74321038fb346aba76..8614819c1306c634d587988d5c7f499b39ff0cc4 100644
--- a/adbd.te
+++ b/adbd.te
@@ -4,6 +4,7 @@ type adbd, domain;
 
 userdebug_or_eng(`
   permissive adbd;
+  allow adbd su:process dyntransition;
 ')
 
 domain_auto_trans(adbd, shell_exec, shell)
diff --git a/domain.te b/domain.te
index c8063f74063d0fc54d20d2b74976e1ecbdde2659..b13ad75f8a91368b34e40265779832bc8c61df57 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,20 @@ allow domain adbd:unix_stream_socket connectto;
 allow domain adbd:fd use;
 allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
 
+userdebug_or_eng(`
+  # Same as adbd rules above, except allow su to do the same thing
+  allow domain su:unix_stream_socket connectto;
+  allow domain su:fd use;
+  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+
+  # Running something like "pm dump com.android.bluetooth" requires
+  # fifo writes
+  allow domain su:fifo_file { write getattr };
+
+  # allow "gdbserver --attach" to work for su.
+  allow domain su:process sigchld;
+')
+
 ###
 ### Talk to debuggerd.
 ###
diff --git a/su.te b/su.te
index b4b9f6dadc5d6b2938a02e1298f4b8ed82f0ab42..7b6899a21af6906298570347144d71215eaf630f 100644
--- a/su.te
+++ b/su.te
@@ -12,6 +12,11 @@ userdebug_or_eng(`
   # su is unconfined.
   unconfined_domain(su)
 
+  allow su ashmem_device:chr_file execute;
+  allow su self:process execmem;
+  tmpfs_domain(su)
+  allow su su_tmpfs:file execute;
+
   # su is also permissive to permit setenforce.
   permissive su;
 ')