diff --git a/file_contexts b/file_contexts
index a26a4a0bee35610c48ae3b07e773558c2467cfec..70243dd21799e34f8a949819d96e3dc12075a25b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -314,4 +314,7 @@
 # external storage
 /mnt/media_rw(/.*)?         u:object_r:mnt_media_rw_file:s0
 /mnt/user(/.*)?             u:object_r:mnt_user_file:s0
+/mnt/runtime_default(/.*)?  u:object_r:storage_file:s0
+/mnt/runtime_read(/.*)?     u:object_r:storage_file:s0
+/mnt/runtime_write(/.*)?    u:object_r:storage_file:s0
 /storage(/.*)?              u:object_r:storage_file:s0
diff --git a/vold.te b/vold.te
index 35134106d8282becc6bca22a8b68321324f237ef..b22436f3f30b6e11986fcf09f0e785c1c5ea2560 100644
--- a/vold.te
+++ b/vold.te
@@ -159,6 +159,10 @@ allow vold vold:key { write search setattr };
 # vold temporarily changes its priority when running benchmarks
 allow vold self:capability sys_nice;
 
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:capability sys_chroot;
+allow vold storage_file:dir mounton;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
diff --git a/zygote.te b/zygote.te
index 2b869c0e4b9345fc913b2d19d0948d3ffc004a3e..b75eacaf6bda1e61d243fcbc142e758a817e4d84 100644
--- a/zygote.te
+++ b/zygote.te
@@ -55,7 +55,7 @@ allow zygote rootfs:dir mounton;
 allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M
 dontaudit zygote self:capability fsetid; # TODO: deprecated in M
 allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M
-allow zygote tmpfs:filesystem mount; # TODO: deprecated in M
+allow zygote tmpfs:filesystem { mount unmount };
 allow zygote labeledfs:filesystem remount; # TODO: deprecated in M
 
 # Allowed to create user-specific storage source if started before vold