diff --git a/app.te b/app.te
index d90185c39d9102b3a67d8f128ff527f36254bb57..aaf811a682d8a99a50aed5178f9e6bdd3f9734aa 100644
--- a/app.te
+++ b/app.te
@@ -76,8 +76,8 @@ allow appdomain isolated_app:unix_stream_socket { read write };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write };
-allow appdomain  cache_backup_file:file { read write };
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file getattr;
 
diff --git a/domain.te b/domain.te
index 291c562466bd58a36d2ed085d393b69674066d5b..f4fd6ae4fabd10964a08cb91a49390f6ceb1dd0a 100644
--- a/domain.te
+++ b/domain.te
@@ -81,7 +81,7 @@ allow domain system_data_file:file { getattr read };
 allow domain system_data_file:lnk_file read;
 
 # Read apk files under /data/app.
-allow domain apk_data_file:dir search;
+allow domain apk_data_file:dir { getattr search };
 allow domain apk_data_file:file r_file_perms;
 
 # Read /data/dalvik-cache.
diff --git a/zygote.te b/zygote.te
index 9a5bc4b67bf55042372b4124d425abb0cacffc5b..0fb3842146e4b484bb94ba6f68a1cb78f8864f18 100644
--- a/zygote.te
+++ b/zygote.te
@@ -12,7 +12,7 @@ allow zygote self:capability setpcap;
 allow zygote system:process dyntransition;
 allow zygote appdomain:process dyntransition;
 # Allow zygote to read app data dirs (b/10455872)
-allow zygote appdomain:dir search;
+allow zygote appdomain:dir { getattr search };
 allow zygote appdomain:file { r_file_perms };
 # Move children into the peer process group.
 allow zygote system:process { getpgid setpgid };