diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index a0933b4a6..0bd8e07ff 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -407,6 +407,7 @@
 /system/bin/traced                                                traced_exec
 /system/bin/traced_perf                                           traced_perf_exec
 /system/bin/traced_probes                                         traced_probes_exec
+/system/bin/traced_relay                                          traced_exec
 /system/bin/heapprofd                                             heapprofd_exec
 /system/bin/uncrypt                                               uncrypt_exec
 /system/bin/update_verifier                                       update_verifier_exec
diff --git a/private/file_contexts b/private/file_contexts
index ffc06f246..f0832f3b0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -339,6 +339,7 @@
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
+/system/bin/traced_relay        u:object_r:traced_exec:s0
 /system/bin/trace_redactor        u:object_r:trace_redactor_exec:s0
 /system/bin/heapprofd        u:object_r:heapprofd_exec:s0
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
diff --git a/private/statsd.te b/private/statsd.te
index 5820d230e..b932bc61d 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -19,8 +19,11 @@ allow statsd incidentd:fifo_file write;
 # Allow StatsCompanionService to pipe data to statsd.
 allow statsd system_server:fifo_file { read write getattr };
 
-# Allow Statsd to pipe data to privileged apps.
-allow statsd priv_app:fifo_file { read write getattr };
+# Allow any app to pipe data to statsd.
+# Access control to all statsd APIs inherit from system_api_service, so
+# appdomain permissions are granted to avoid listing each individual
+# service that can access system_api_service.
+allow statsd appdomain:fifo_file { read write getattr };
 
 # Allow statsd to retrieve SF statistics over binder
 binder_call(statsd, surfaceflinger);
diff --git a/private/vmnic.te b/private/vmnic.te
index da1aebbbd..1b7e0d8b6 100644
--- a/private/vmnic.te
+++ b/private/vmnic.te
@@ -13,13 +13,13 @@ is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
     # Let the vmnic domain use Binder.
     binder_use(vmnic)
 
-    # Allow for creating TAP network interfaces.
+    # Allow for creating and deleting TAP network interfaces.
     allow vmnic self:global_capability_class_set net_admin;
     allow vmnic self:tun_socket create_socket_perms_no_ioctl;
     allow vmnic tun_device:chr_file rw_file_perms;
-    allowxperm vmnic tun_device:chr_file ioctl { TUNSETIFF TUNSETPERSIST };
+    allowxperm vmnic tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETPERSIST };
     allow vmnic self:udp_socket create_socket_perms;
-    allowxperm vmnic self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+    allowxperm vmnic self:udp_socket ioctl SIOCSIFFLAGS;
 
     # Only virtualizationservice can communicate to vmnic
     neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call;