diff --git a/private/domain.te b/private/domain.te
index f66185d75553a3981da759550c0d2bf14ffeb620..8a410975bbf9e5af109368479cf73ccad7deff52 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@ full_treble_only(`
   neverallow {
     coredomain
     -dumpstate
-    -priv_app
     -vold
     -vendor_init
   } proc:file no_rw_file_perms;
@@ -35,7 +34,6 @@ full_treble_only(`
     coredomain
     -dumpstate
     -init
-    -priv_app
     -ueventd
     -vold
     -vendor_init
diff --git a/private/priv_app.te b/private/priv_app.te
index e3eec831d063e582543036d873b35ca411e75751..dcf757271a54892183cda0ad610c42f0997c06f1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -77,9 +77,17 @@ userdebug_or_eng(`
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
 
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
+# /proc access
+allow priv_app {
+  proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
 r_dir_file(priv_app, rootfs)
 
 # Allow GMS core to open kernel config for OTA matching through libvintf
@@ -129,6 +137,7 @@ unix_socket_connect(priv_app, traced_producer, traced)
 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
+dontaudit priv_app proc:file read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
 dontaudit priv_app proc_version:file read;