diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 775bb1eda46cd859c785473ce071d06399848dfe..e9bf24fd27402a272f30b6b59ed1dfeefed49aa0 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -19,7 +19,7 @@ allow update_engine_common rootfs:file r_file_perms;
 
 # Allow update_engine_common to mount on the /postinstall directory and reset the
 # labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir mounton;
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
 allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
 allow update_engine_common labeledfs:filesystem relabelfrom;