diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 6a51e617e8385454b7f3d182621c02cabd7e3dd0..ad84af9be1631c1df373475d33e1d7a3c8f390a9 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,11 +1,12 @@
 # rules removed from the domain attribute
 
 # Search /storage/emulated tmpfs mount.
-allow domain_deprecated tmpfs:dir r_dir_perms;
+allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
   -appdomain
+  -installd
   -sdcardd
   -surfaceflinger
   -system_server
diff --git a/public/installd.te b/public/installd.te
index 0a5b8a380e9a4ab1e9e79012f1d7bbf59f106b95..8440994e48d11a27226f04775ab93e5825d62d3e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -46,6 +46,12 @@ allow installd media_rw_data_file:file { getattr unlink };
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;
 
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
+allow installd sdcardfs:file { getattr unlink };
+
 # Upgrade /data/misc/keychain for multi-user if necessary.
 allow installd misc_user_data_file:dir create_dir_perms;
 allow installd misc_user_data_file:file create_file_perms;