diff --git a/public/system_server.te b/public/system_server.te
index c562b6529..f700a77be 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -200,7 +200,7 @@ allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
 
 # TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file write;
+allow system_server sysfs_vibrator:file { write append };
 
 # TODO: added to match above sysfs rule. Remove me?
 allow system_server sysfs_usb:file w_file_perms;
@@ -308,10 +308,10 @@ allow system_server system_app_data_file:file create_file_perms;
 
 # Receive and use open app data files passed over binder IPC.
 # Types extracted from seapp_contexts type= fields.
-allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
 
 # Receive and use open /data/media files passed over binder IPC.
-allow system_server media_rw_data_file:file { getattr read write };
+allow system_server media_rw_data_file:file { getattr read write append };
 
 # Relabel apk files.
 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };