diff --git a/public/priv_app.te b/public/priv_app.te
index 5f9889f6f06ce589cb73153d790e9f46962b9411..fb73b1539bab73232e131baecd8ed16892386649 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -11,10 +11,9 @@ bluetooth_domain(priv_app)
 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
 allow priv_app self:process ptrace;
 
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow priv_app app_data_file:file rx_file_perms;
-auditallow priv_app app_data_file:file execute_no_trans;
+# Some apps ship with shared libraries that they write out
+# to their sandbox directory and then dlopen().
+allow priv_app app_data_file:file { r_file_perms execute };
 
 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;