diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 372be7f6d..061620f6f 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -118,3 +118,8 @@ allow gmscore_app shell_data_file:dir r_dir_perms;
 allow gmscore_app ota_package_file:dir rw_dir_perms;
 allow gmscore_app ota_package_file:file create_file_perms;
 
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow gmscore_app shell_data_file:file r_file_perms;
+allow gmscore_app shell_data_file:dir r_dir_perms;
+
diff --git a/private/priv_app.te b/private/priv_app.te
index 8a0a94f64..3263877f1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -80,6 +80,11 @@ allow priv_app media_rw_data_file:file create_file_perms;
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
 allow priv_app shell_data_file:dir r_dir_perms;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app shell_data_file:file r_file_perms;
+  auditallow priv_app shell_data_file:dir r_dir_perms;
+')
 
 # Allow traceur to pass file descriptors through a content provider to betterbug
 allow priv_app trace_data_file:file { getattr read };