diff --git a/private/coredomain.te b/private/coredomain.te
index 55f715dd0..96ce488c8 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -93,6 +93,8 @@ full_treble_only(`
         coredomain
         -appdomain
         -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
@@ -112,6 +114,8 @@ full_treble_only(`
         coredomain
         -appdomain
         -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 2ce24594e..ea9ab9c9b 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -10,6 +10,8 @@ r_dir_file(dex2oat, vendor_app_file)
 # Access /vendor/framework
 allow dex2oat vendor_framework_file:dir { getattr search };
 allow dex2oat vendor_framework_file:file { getattr open read map };
+# Access /vendor/overlay
+r_dir_file(dex2oat, vendor_overlay_file);
 
 allow dex2oat tmpfs:file { read getattr map };
 
@@ -59,6 +61,9 @@ allow dex2oat apex_info_file:file r_file_perms;
 # Allow dex2oat to use file descriptors passed from privileged programs.
 allow dex2oat { artd installd odrefresh odsign }:fd use;
 
+# Allow dex2oat to read the /proc filesystem for CPU features, etc.
+allow dex2oat proc_filesystems:file r_file_perms;
+
 ##################
 # A/B OTA Dexopt #
 ##################