diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index ccb7e855cfb1c1d3d1205e653943bc217df0ac9d..a440bfe545596653d02a09ee2ac5a13663b55c13 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -1,26 +1,9 @@
 # rules removed from the domain attribute
 
 # Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
 
 userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -sdcardd
-  -system_server
-  -update_engine
-  -vold
-} proc:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -system_server
-  -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow {
   domain_deprecated
   -fingerprintd
diff --git a/private/platform_app.te b/private/platform_app.te
index 047cca45fdd361c34c75bd8bb65e9ff00daa2de9..a8bb1c285aace856e5dcc21225ab63f25fd5c3ee 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -41,6 +41,9 @@ allow platform_app vfat:file create_file_perms;
 # com.android.systemui
 allow platform_app rootfs:dir getattr;
 
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app proc:file r_file_perms;
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 80afcb946d87307d27e81cc3b5ea8f27016969db..803ee44244a1045af1c38c592a795fe0aa9b216b 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -84,5 +84,8 @@ allow system_app keystore:keystore_key {
 # /sys access
 r_dir_file(system_app, sysfs_type)
 
+# settings app reads /proc/version and /proc/pagetypeinfo
+allow system_app proc:file r_file_perms;
+
 control_logd(system_app)
 read_runtime_log_tags(system_app)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index d10eb3916849529ef485f845e7c62918d739f83a..59f7da3630293bc5e7cb70dec21f72df4cf42443 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -37,3 +37,6 @@ allow uncrypt block_device:dir r_dir_perms;
 allow uncrypt userdata_block_device:blk_file w_file_perms;
 
 r_dir_file(uncrypt, rootfs)
+
+# uncrypt reads /proc/cmdline
+allow uncrypt proc:file r_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e9bf24fd27402a272f30b6b59ed1dfeefed49aa0..2a0266ed61eae3faf3ee04952d0390f656ae603d 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,10 +38,8 @@ allow update_engine_common shell_exec:file rx_file_perms;
 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };
 
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
+# access /proc/misc and /proc/sys/kernel/random/boot_id
+allow update_engine proc:file r_file_perms;
 allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor