diff --git a/adbd.te b/adbd.te
index babbdc56ee5eff6f4ebb91fcfc75759febfe37ea..72deb502649d38d98da124fe27a0e8c9c497308d 100644
--- a/adbd.te
+++ b/adbd.te
@@ -86,3 +86,10 @@ allow adbd kernel:security read_policy;
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
 allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir search;
+allow adbd mnt_user_file:lnk_file r_file_perms;
diff --git a/app.te b/app.te
index 4aad958b46b64778e2f23d5d1a7a5bebeebdfcce..52a3bd6a84ba76f11fed6f8bcfc30edcba0505ec 100644
--- a/app.te
+++ b/app.te
@@ -124,11 +124,11 @@ allow appdomain media_rw_data_file:file { read getattr };
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow appdomain radio_data_file:file { read write getattr };
 
-# See visible storage
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
 allow appdomain storage_file:dir r_dir_perms;
-allow appdomain storage_file:file r_file_perms;
-allow appdomain mnt_user_file:dir r_dir_perms;
-# Follow the /storage/self/primary symlink
+allow appdomain storage_file:lnk_file r_file_perms;
+allow appdomain mnt_user_file:dir search;
 allow appdomain mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
diff --git a/shell.te b/shell.te
index a58fc5d14322257007d741fac5dbdeaed76e887b..cfadf77c93a3affd64372cb82ea1439ada825a7a 100644
--- a/shell.te
+++ b/shell.te
@@ -74,6 +74,3 @@ allow shell domain:process getattr;
 # and read other files created by init process under /data/bootchart
 allow shell bootchart_data_file:dir rw_dir_perms;
 allow shell bootchart_data_file:file create_file_perms;
-
-# Follow the /storage/self/primary symlink
-allow shell storage_file:lnk_file r_file_perms;