diff --git a/file_contexts b/file_contexts
index 942b7e6f83b0d5433d56e4447a1d016c8100b5b9..a74f8f86ace36b78382eb63b1ebbf195d71f6bda 100644
--- a/file_contexts
+++ b/file_contexts
@@ -200,6 +200,7 @@
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
+/system/bin/bspatch              u:object_r:update_engine_exec:s0
 
 #############################
 # Vendor files
diff --git a/update_engine.te b/update_engine.te
index 839d6b7110736dfb3fce6e3e9df00644a02087b7..ea7fcaff809a87996f0fc7c1ce54d0965fbf7655 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -10,6 +10,7 @@ net_domain(update_engine);
 allow update_engine self:process { setsched };
 allow update_engine self:capability { fowner sys_admin };
 allow update_engine kmsg_device:chr_file w_file_perms;
+allow update_engine update_engine_exec:file rx_file_perms;
 wakelock_use(update_engine);
 
 # Allow using persistent storage in /data/misc/update_engine.