diff --git a/private/app.te b/private/app.te
index 37f3fc29c86f1ae347defbc70dbfb92e158d4ad9..9251ed9cbeeabfc407c393192717fe63df971978 100644
--- a/private/app.te
+++ b/private/app.te
@@ -474,9 +474,12 @@ neverallow appdomain
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # access tmp apk files
-neverallow { appdomain -platform_app -priv_app }
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
     { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
 
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+
 # Access to factory files.
 neverallow appdomain efs_file:dir_file_class_set write;
 neverallow { appdomain -shell } efs_file:dir_file_class_set read;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6218b0bb70347233df6a9324408eb3bb3f7c21c6..cce589ea2a234e6d5ed5697c2f3c52823c47cb8f 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -41,6 +41,9 @@ allow untrusted_app_all asec_public_file:file { execute execmod };
 allow untrusted_app_all shell_data_file:file r_file_perms;
 allow untrusted_app_all shell_data_file:dir r_dir_perms;
 
+# Allow to read staged apks.
+allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
+
 # Read and write system app data files passed over Binder.
 # Motivating case was /data/data/com.android.settings/cache/*.jpg for
 # cropping or taking user photos.