diff --git a/installd.te b/installd.te
index 3ce2c5d0895976089b62923c0c27267364b41f7b..f84075a4c30007eae05ef613c54cd0d09ed6943c 100644
--- a/installd.te
+++ b/installd.te
@@ -49,9 +49,11 @@ allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
 
 # Upgrade from unlabeled userdata.
-# Just need enough to relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom };
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;
 
 # Upgrade from before system_app_data_file was used for system UID apps.
 # Just need enough to relabel it and to unlink removed package files.
diff --git a/system_server.te b/system_server.te
index 4b8e38490b4b6cac657548b8111808cecb0f37d4..50c9d98b72bb34c781feac35b24490cce30d401f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -227,6 +227,11 @@ allow system_server zoneinfo_data_file:file create_file_perms;
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;
 
 # Populate com.android.providers.settings/databases/settings.db.
 allow system_server system_app_data_file:dir create_dir_perms;
diff --git a/vold.te b/vold.te
index 30cd9d2b533725151a61272a834aff9aebcfb8cd..0247bfea93e5dbfb3820d791d5d395167cd9b8db 100644
--- a/vold.te
+++ b/vold.te
@@ -71,10 +71,13 @@ allow vold ctl_fuse_prop:property_service set;
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
 security_access_policy(vold)
-allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom };
+allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
 
 # Handle wake locks (used for device encryption)
 wakelock_use(vold)