diff --git a/private/app.te b/private/app.te
index ee440eec49d6c29e455b9910bdea1d718b1dca87..74675ed4feab089cf3df40cf4657a2891e876746 100644
--- a/private/app.te
+++ b/private/app.te
@@ -150,9 +150,13 @@ allow appdomain anr_data_file:file { open append };
 # domain socket.
 #
 # Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces.
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
 unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
 allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
diff --git a/private/system_server.te b/private/system_server.te
index 90401d3486115b8f0ffc1be7daa862b9397b61a0..2bfd4cda69f264bba83a9a164a40006d6f1a709a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -342,9 +342,11 @@ allow system_server anr_data_file:file create_file_perms;
 # domain socket.
 #
 # Allow system_server to connect and write to the tombstoned java trace socket in
-# order to dump its traces.
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
 unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
 allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
 
 # Read /data/misc/incidents - only read. The fd will be sent over binder,
 # with no DAC access to it, for dropbox to read.