diff --git a/installd.te b/installd.te
index c198e2a650d191508cbe6378be10cb3d641fd1ff..317ae7cea99f4ca424bedd5d6fb2a6930e8a71f6 100644
--- a/installd.te
+++ b/installd.te
@@ -73,11 +73,6 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
-# Run otapreopt in its own sandbox.
-domain_auto_trans(installd, otapreopt_chroot_exec, otapreopt_chroot)
-# otapreopt_chroot will transition into postinstall_dexopt, which will spawn a child.
-allow installd postinstall_dexopt:process sigchld;
-
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/otapreopt_chroot.te b/otapreopt_chroot.te
index b3f8807b0d2167f9a226ce05ee890d6224babc62..3f426709c86ca5ccdf91f733bfe189103ec8dfc2 100644
--- a/otapreopt_chroot.te
+++ b/otapreopt_chroot.te
@@ -10,5 +10,8 @@ allow otapreopt_chroot self:capability { sys_admin sys_chroot };
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
 
-# Allow otapreopt to use file descriptors from installd.
-allow otapreopt_chroot installd:fd use;
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/postinstall.te b/postinstall.te
index 7fd4dc61183db9d44b5968b631ebe62bead6c271..0f6bb749b4aa7072143a0907c5f83cbf25c00f2a 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -30,6 +30,8 @@ binder_call(postinstall, system_server)
 # Need to talk to the otadexopt service.
 allow postinstall otadexopt_service:service_manager find;
 
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
 # No domain other than update_engine and recovery (via update_engine_sideload)
 # should transition to postinstall, as it is only meant to run during the
 # update.
diff --git a/postinstall_dexopt.te b/postinstall_dexopt.te
index 3d00c310952cf754d526972cd4f2447d07d7e8f2..1ab929c7698256432f3107c698dbc853c5d1a7ed 100644
--- a/postinstall_dexopt.te
+++ b/postinstall_dexopt.te
@@ -47,8 +47,8 @@ selinux_check_access(postinstall_dexopt)
 # We have to manually transition, as we don't have an entrypoint.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
 
-# installd wants to know about our child.
-allow postinstall_dexopt installd:process sigchld;
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
 
 # Allow otapreopt to use file descriptors from otapreopt_chroot.
 # TODO: Probably we can actually close file descriptors...