diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index f894037811217e9db4c091624685c3dbdd496988..ee0205af7603479bf9e924038eaf5bc22d150353 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -149,7 +149,6 @@ allow domain_deprecated proc_meminfo:file r_file_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
-  -dumpstate
   -fsck
   -fsck_untrusted
   -sdcardd
@@ -159,7 +158,6 @@ auditallow {
 } proc:file r_file_perms;
 auditallow {
   domain_deprecated
-  -dumpstate
   -fsck
   -fsck_untrusted
   -system_server
@@ -167,7 +165,6 @@ auditallow {
 } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow {
   domain_deprecated
-  -dumpstate
   -fingerprintd
   -healthd
   -netd
@@ -208,7 +205,6 @@ auditallow {
 auditallow {
   domain_deprecated
   -appdomain
-  -dumpstate
   -fingerprintd
   -healthd
   -inputflinger
@@ -222,7 +218,6 @@ auditallow {
 auditallow {
   domain_deprecated
   -appdomain
-  -dumpstate
   -fingerprintd
   -healthd
   -inputflinger
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 29a8aedcac6a9836a3e9e0b1ff2a3847caf1a237..605e8363ed01fb0b2303ccfbb63ca8b606cd55c6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -29,6 +29,9 @@ allow dumpstate system_file:file execute_no_trans;
 not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
 allow dumpstate toolbox_exec:file rx_file_perms;
 
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };
 allow dumpstate anr_data_file:dir rw_dir_perms;
@@ -83,10 +86,19 @@ allow dumpstate sysfs_usb:file w_file_perms;
 # Other random bits of data we want to collect
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;
-# df for /storage/emulated needs search
-allow dumpstate { block_device storage_file tmpfs }:dir { search getattr };
+
+# df for
+allow dumpstate {
+  block_device
+  cache_file
+  rootfs
+  selinuxfs
+  storage_file
+  tmpfs
+}:dir { search getattr };
 allow dumpstate fuse_device:chr_file getattr;
 allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
 
 # Read /dev/cpuctl and /dev/cpuset
 r_dir_file(dumpstate, cgroup)
@@ -137,7 +149,8 @@ read_logd(dumpstate)
 control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
-# Read /proc and /proc/net
+# Read files in /proc
+allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
 r_dir_file(dumpstate, proc)
 
@@ -203,6 +216,9 @@ add_service(dumpstate, dumpstate_service)
 # use /dev/ion for screen capture
 allow dumpstate ion_device:chr_file r_file_perms;
 
+# read default labeled files in /sys
+r_dir_file(dumpstate, sysfs)
+
 ###
 ### neverallow rules
 ###