diff --git a/installd.te b/installd.te
index acbb9cecc5800094a85ca41251a0d1db22f7ae5b..68a0d068cf96364d8a621867cd0280cb64687036 100644
--- a/installd.te
+++ b/installd.te
@@ -16,6 +16,7 @@ allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
+allow installd download_file:dir { read getattr };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/zygote.te b/zygote.te
index bf4d5ec29e6aecfb5a66c9d8be936f54d868b308..29288e8632ba7b551e4a54afdf7501ca18291c23 100644
--- a/zygote.te
+++ b/zygote.te
@@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
 init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid };
+allow zygote self:capability { dac_override setgid setuid fowner };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.