diff --git a/app.te b/app.te
index fd16764aaa0e7b2762de4c3217e6236dcd856804..27079cd3d60b4b671e9aaa1ac1fb4fec6206ae8b 100644
--- a/app.te
+++ b/app.te
@@ -66,7 +66,6 @@ binder_call(appdomain, appdomain)
 
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)
-binder_call(appdomain, isolated_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
@@ -82,8 +81,8 @@ allow appdomain cache_backup_file:file { read write getattr };
 allow appdomain system_data_file:lnk_file getattr;
 
 # Allow all applications to read downloaded files
+allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
-file_type_auto_trans(appdomain, download_file, download_file)
 
 # Allow applications to communicate with netd via /dev/socket/dnsproxyd
 # to do DNS resolution
diff --git a/isolated_app.te b/isolated_app.te
index 1b33484c5ea9da3d3f984ff0235fe6a1e9d4d2d3..3b99e37d333634080de041b2cfc6eb863ec27f9f 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,9 +13,6 @@ type isolated_app, domain;
 permissive isolated_app;
 app_domain(isolated_app)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services