diff --git a/private/domain.te b/private/domain.te
index 0de9d130c..ace3fe5a6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -815,5 +815,5 @@ neverallow { domain -init } kcmdlinectrl:process { dyntransition transition };
 neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
 
 # Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
 neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 0a2a5e52f..dc87c7819 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -346,7 +346,8 @@ get_prop(domain, device_config_media_native_prop)
 # The boot copy of the flag value files serves flag read traffic for all processes, thus
 # needs to be readable by everybody. Also, the metadata directory will contain pb file
 # that records where flag storage files are, so also needs to be readable by everbody.
-allow domain { aconfig_storage_metadata_file }:file r_file_perms;
+allow domain aconfig_storage_metadata_file:file r_file_perms;
+allow domain aconfig_storage_metadata_file:dir r_dir_perms;
 
 ###
 ### neverallow rules