diff --git a/app.te b/app.te
index 78da5b7251ab100f7da5be812d112389cd17df21..bc42465862f8ee893c774bd162e9bc224b456835 100644
--- a/app.te
+++ b/app.te
@@ -29,6 +29,16 @@ allow appdomain zygote:process sigchld;
 allow appdomain cgroup:dir { search write };
 allow appdomain cgroup:file w_file_perms;
 
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard symlink
+allow appdomain rootfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
 userdebug_or_eng(`
   # Notify zygote of the wrapped process PID when using --invoke-with.
   allow appdomain zygote:fifo_file write;
diff --git a/shell.te b/shell.te
index 2a3faecb2d746ddef4d3d1b25682ab04b8ecc3cb..a02fbd00fb48b75db148e4a1cb77bbf4d55a785f 100644
--- a/shell.te
+++ b/shell.te
@@ -25,6 +25,9 @@ userdebug_or_eng(`
 allow shell adbd:fd use;
 allow shell adbd:unix_stream_socket { read write ioctl getattr };
 
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;