diff --git a/prebuilts/api/30.0/public/uncrypt.te b/prebuilts/api/30.0/public/uncrypt.te
index 28dc3f209..4114b2add 100644
--- a/prebuilts/api/30.0/public/uncrypt.te
+++ b/prebuilts/api/30.0/public/uncrypt.te
@@ -15,9 +15,9 @@ allow uncrypt cache_file:dir search;
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
 allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
 
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -40,3 +40,7 @@ allow uncrypt proc_cmdline:file r_file_perms;
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 75765f33e..46bcfaac2 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -15,9 +15,9 @@ allow uncrypt cache_file:dir search;
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
-# Read OTA zip file at /data/ota_package/.
+# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
 allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file r_file_perms;
+allow uncrypt ota_package_file:file rw_file_perms;
 
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
@@ -37,3 +37,7 @@ allow uncrypt proc_cmdline:file r_file_perms;
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
+
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;