diff --git a/private/access_vectors b/private/access_vectors
index d0c52f700c314a5488e518345609a86c5bb179d0..bb287cd2c1bd4b380ff80d93aedde243b3b4b1ba 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -20,6 +20,7 @@ common file
 	relabelfrom
 	relabelto
 	append
+	map
 	unlink
 	link
 	rename
@@ -46,6 +47,7 @@ common socket
 	relabelfrom
 	relabelto
 	append
+	map
 # socket-specific
 	bind
 	connect
diff --git a/public/domain.te b/public/domain.te
index 51385dd9981d23cc2bd029d6065407a55f1b999b..8ea0bb8419f2194659127e60d980b953bb1f497e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -99,7 +99,7 @@ write_logd(domain)
 
 # System file accesses.
 allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
+allow domain system_file:file { execute read open getattr map };
 allow domain system_file:lnk_file { getattr read };
 
 # Make sure system/vendor split doesn not affect non-treble
diff --git a/public/global_macros b/public/global_macros
index 4ea8dc3ba1e69d65a30aab740cfbd664203b1714..bcfb68644a6057347b02fbfbf84faf01e23dec53 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -18,9 +18,9 @@ define(`ipc_class_set', `{ sem msgq shm ipc }')
 #####################################
 # Common groupings of permissions.
 #
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`w_file_perms', `{ open append write lock map }')
 define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')
diff --git a/public/te_macros b/public/te_macros
index d65eb889ca28da46c9f285780e9df1c7facd049a..1b42faa5ed73a9e536379786ef68d1e1817af3da 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -8,10 +8,10 @@
 #
 define(`domain_trans', `
 # Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
+allow $1 $2:file { getattr open read execute map };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
+allow $3 $2:file { entrypoint open read execute getattr map };
 # New domain can send SIGCHLD to its caller.
 ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.