diff --git a/app.te b/app.te
index d90185c39..aaf811a68 100644
--- a/app.te
+++ b/app.te
@@ -76,8 +76,8 @@ allow appdomain isolated_app:unix_stream_socket { read write };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write };
-allow appdomain  cache_backup_file:file { read write };
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file getattr;
 
diff --git a/domain.te b/domain.te
index 291c56246..f4fd6ae4f 100644
--- a/domain.te
+++ b/domain.te
@@ -81,7 +81,7 @@ allow domain system_data_file:file { getattr read };
 allow domain system_data_file:lnk_file read;
 
 # Read apk files under /data/app.
-allow domain apk_data_file:dir search;
+allow domain apk_data_file:dir { getattr search };
 allow domain apk_data_file:file r_file_perms;
 
 # Read /data/dalvik-cache.
diff --git a/zygote.te b/zygote.te
index 9a5bc4b67..0fb384214 100644
--- a/zygote.te
+++ b/zygote.te
@@ -12,7 +12,7 @@ allow zygote self:capability setpcap;
 allow zygote system:process dyntransition;
 allow zygote appdomain:process dyntransition;
 # Allow zygote to read app data dirs (b/10455872)
-allow zygote appdomain:dir search;
+allow zygote appdomain:dir { getattr search };
 allow zygote appdomain:file { r_file_perms };
 # Move children into the peer process group.
 allow zygote system:process { getpgid setpgid };