diff --git a/app.te b/app.te
index 78da5b725..bc4246586 100644
--- a/app.te
+++ b/app.te
@@ -29,6 +29,16 @@ allow appdomain zygote:process sigchld;
 allow appdomain cgroup:dir { search write };
 allow appdomain cgroup:file w_file_perms;
 
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard symlink
+allow appdomain rootfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
 userdebug_or_eng(`
   # Notify zygote of the wrapped process PID when using --invoke-with.
   allow appdomain zygote:fifo_file write;
diff --git a/shell.te b/shell.te
index 2a3faecb2..a02fbd00f 100644
--- a/shell.te
+++ b/shell.te
@@ -25,6 +25,9 @@ userdebug_or_eng(`
 allow shell adbd:fd use;
 allow shell adbd:unix_stream_socket { read write ioctl getattr };
 
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;