diff --git a/debuggerd.te b/debuggerd.te
index a0041e6f58d3215b2bf38f729ea1355819a999e1..aca499b9bf3e9c7dd5f9276c9d70d37d4e632dc4 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;
-allow debuggerd rootfs:file r_file_perms;
+security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
 allow debuggerd tombstone_data_file:dir relabelto;
diff --git a/installd.te b/installd.te
index 553127c005a3b7623f240037321614a814b6c69c..428e3790ddb0fee7ab7ab169fc27a7c721d38ba9 100644
--- a/installd.te
+++ b/installd.te
@@ -18,8 +18,8 @@ allow installd cgroup:dir create_dir_perms;
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
-# Read /seapp_contexts, presently on the rootfs.
-allow installd rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(installd)
 # ASEC
 allow installd platform_app_data_file:lnk_file { create setattr };
 allow installd app_data_file:lnk_file { create setattr };
diff --git a/runas.te b/runas.te
index 60b086d49b747723ca35f784a062fae47f9b6c51..8bb2d03f5f5ddc0d0febe94508184bc3c8af1c6a 100644
--- a/runas.te
+++ b/runas.te
@@ -34,7 +34,8 @@ allow runas app_data_file:dir { getattr search };
 allow runas self:capability { setuid setgid };
 
 # run-as switches to the app security context.
-allow runas rootfs:file r_file_perms; # read /seapp_contexts
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas untrusted_app:process dyntransition; # setcon
 
diff --git a/system.te b/system.te
index 1c543e7c3f3f72aaeb1c25fc49b07a1100b2acd7..9d6d4c148de3cf30e45e4196d5ee1203957f54f3 100644
--- a/system.te
+++ b/system.te
@@ -148,8 +148,8 @@ allow system tun_device:chr_file rw_file_perms;
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
 
-# Read /file_contexts.
-allow system rootfs:file r_file_perms;
+# Read /file_contexts and /data/security/file_contexts
+security_access_policy(system)
 
 # Relabel apk files.
 allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
diff --git a/te_macros b/te_macros
index bda87d466cc5ccc1622550fb0c7c4d4aba65c093..86a3a5be4ee326ee43b57c504ef0ecacc7bfdc97 100644
--- a/te_macros
+++ b/te_macros
@@ -236,8 +236,6 @@ allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;
 allow $1 rootfs:file r_file_perms;
-allow $1 system_file:dir r_dir_perms;
-allow $1 system_file:file r_file_perms;
 ')
 
 #####################################
@@ -285,4 +283,4 @@ allow $1 system_file:file x_file_perms;
 # man 2 klogctl
 define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
-')
\ No newline at end of file
+')
diff --git a/ueventd.te b/ueventd.te
index f765cc565f2a0609e607a95ddd365c0e088f20cd..9023173d8d34b23db52e4cf6ae7e238547ba6c76 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,7 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
-allow ueventd rootfs:file r_file_perms;
+security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
diff --git a/vold.te b/vold.te
index 8ffc404d4dfd6d518d49f46e0362e5fc3a45d146..71067c469d70b29e249d7064f03a34c744ca49ae 100644
--- a/vold.te
+++ b/vold.te
@@ -60,6 +60,6 @@ allow vold vold_prop:property_service set;
 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
-allow vold rootfs:file r_file_perms;
+security_access_policy(vold)
 allow vold asec_apk_file:dir { rw_dir_perms setattr };
 allow vold asec_apk_file:file { r_file_perms setattr };
diff --git a/zygote.te b/zygote.te
index 3f0229312494a8df4b6a9379fa9201fad89c5e7a..773318ea16a89091fbe96ebf4993ba5d55ca9a36 100644
--- a/zygote.te
+++ b/zygote.te
@@ -28,8 +28,8 @@ allow zygote self:capability sys_admin;
 selinux_check_context(zygote)
 # Check SELinux permissions.
 selinux_check_access(zygote)
-# Read /seapp_contexts, presently on the rootfs.
-allow zygote rootfs:file r_file_perms;
+# Read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(zygote)
 
 # Setting up /storage/emulated.
 allow zygote rootfs:dir mounton;