diff --git a/init.te b/init.te
index 5cb947199734767423663f128f17bef9421486f7..5397a82173c8a494d327786c68479ccb7aa18671 100644
--- a/init.te
+++ b/init.te
@@ -19,6 +19,10 @@ allow init unlabeled:filesystem *;
 # we just allow all file types except /system files here.
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
 # Reload policy upon setprop selinux.reload_policy 1.
 allow init kernel:security load_policy;
 
diff --git a/kernel.te b/kernel.te
index 96b57407eceb1bc1248e0fdf44d1848d8c362732..1faa9db80abb86ad3120f9ca7824ce255cd927b1 100644
--- a/kernel.te
+++ b/kernel.te
@@ -8,6 +8,9 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)
 
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
 # init direct restorecon calls prior to switching to init domain
 # /dev and /dev/socket
 allow kernel { device socket_device }:dir relabelto;