diff --git a/system_app.te b/system_app.te
index 5d0eca72723e485c2657a1646acc0f823f62aab5..05f1b6c229e1e8a9d26c87218909fd0679237bb7 100644
--- a/system_app.te
+++ b/system_app.te
@@ -13,6 +13,15 @@ binder_service(system_app)
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:file create_file_perms;
 
+# Read and write to other system-owned /data directories, such as
+# /data/system/cache and /data/misc/keychain.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+# Audit writes to these directories and files so we can identify
+# and possibly move these directories into their own type in the future.
+auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
+auditallow system_app system_data_file:file { create setattr append write link unlink rename };
+
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;