diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index e6e827bd4..6e3b671a2 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -79,6 +79,7 @@ auditallow {
   -debuggerd
   -dex2oat
   -dumpstate
+  -init
   -installd
   -system_server
   -zygote
@@ -115,8 +116,38 @@ auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -pr
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -init
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:dir r_dir_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -init
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow {
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 20f8bda9b..57e870367 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -95,6 +95,9 @@ allow dumpstate { storage_file block_device }:dir { search getattr };
 allow dumpstate fuse_device:chr_file getattr;
 allow dumpstate { dm_device cache_block_device }:blk_file getattr;
 
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
 binder_call(dumpstate, { appdomain ephemeral_app netd wificond })