diff --git a/private/crash_dump.te b/private/crash_dump.te
index fb73f08a994a8912746b87a257e323ae762c5931..56693fdaa81a99f2462b6f6fa28f636768afc789 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1 +1,12 @@
 typeattribute crash_dump coredomain;
+
+allow crash_dump {
+  domain
+  -crash_dump
+  -init
+  -kernel
+  -keystore
+  -logd
+  -ueventd
+  -vold
+}:process { ptrace signal sigchld sigstop sigkill };
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 872892b7beebd5ca0779b719f1204f4d688c6647..d5d88ef5f4854b1338f2e00f9ca410b4f63c6706 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -31,6 +31,7 @@ allow ephemeral_app mediaextractor_service:service_manager find;
 allow ephemeral_app mediacodec_service:service_manager find;
 allow ephemeral_app mediametrics_service:service_manager find;
 allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app drmserver_service:service_manager find;
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index c101b34d6b12a6516a11be95890368605976e8bc..e81bbd11759679726dc7eacba64d940e5804d23c 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -1,14 +1,6 @@
 type crash_dump, domain;
 type crash_dump_exec, exec_type, file_type;
 
-allow crash_dump {
-  domain
-  -init
-  -crash_dump
-  -keystore
-  -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
 # crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
 # which will result in an audit log even when it's allowed to trace.
 dontaudit crash_dump self:capability { sys_ptrace };