diff --git a/private/artd.te b/private/artd.te
index ef54d8c4d..5fcd43ae5 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -39,9 +39,11 @@ allow artd apk_data_file:file r_file_perms;
 # Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
 
-# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem,/apex/*}/overlay/...).
 allow artd oemfs:dir { getattr search };
 r_dir_file(artd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow artd vendor_apex_metadata_file:dir { getattr search };
 
 # Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
 r_dir_file(artd, vendor_framework_file)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 23f7444f7..379e32c56 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -12,6 +12,8 @@ allow dex2oat vendor_framework_file:dir { getattr search };
 allow dex2oat vendor_framework_file:file { getattr open read map };
 # Access /vendor/overlay
 r_dir_file(dex2oat, vendor_overlay_file);
+# Vendor overlay can be found in vendor apex
+allow dex2oat vendor_apex_metadata_file:dir { getattr search };
 
 allow dex2oat tmpfs:file { read getattr map };
 
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 2fdc94123..cdf403c2e 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -47,6 +47,8 @@ r_dir_file(postinstall_dexopt, apk_data_file)
 r_dir_file(postinstall_dexopt, vendor_app_file)
 # Read vendor overlay files (APKs) as input to dex2oat.
 r_dir_file(postinstall_dexopt, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow postinstall_dexopt vendor_apex_metadata_file:dir { getattr search };
 # Access to app oat directory.
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)
 
diff --git a/private/rs.te b/private/rs.te
index a9b2edd5d..906373b9f 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -19,6 +19,8 @@ allow rs { app_data_file privapp_data_file }:dir remove_name;
 allow rs vendor_file:dir r_dir_perms;
 r_dir_file(rs, vendor_overlay_file)
 r_dir_file(rs, vendor_app_file)
+# Vendor overlay can be found in vendor apex
+allow rs vendor_apex_metadata_file:dir { getattr search };
 
 # Read contents of app apks
 r_dir_file(rs, apk_data_file)
diff --git a/public/installd.te b/public/installd.te
index 216704d3c..88f6aabd1 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -33,6 +33,8 @@ r_dir_file(installd, vendor_app_file)
 r_dir_file(installd, vendor_framework_file)
 # Scan through Runtime Resource Overlay APKs in /vendor/overlay
 r_dir_file(installd, vendor_overlay_file)
+# Vendor overlay can be found in vendor apex
+allow installd vendor_apex_metadata_file:dir { getattr search };
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
 # Get seapp_context