diff --git a/public/init.te b/public/init.te
index 215246ba9497b5238171ab335aea80713e134d16..02a0dfe7c70b07c98127e17d9712bbf8eab3f522 100644
--- a/public/init.te
+++ b/public/init.te
@@ -20,7 +20,7 @@ userdebug_or_eng(`
 # /dev/__properties__
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
-allow init property_type:file { create_file_perms relabelto };
+allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
 # /dev/__properties__/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
diff --git a/public/property.te b/public/property.te
index eb1fef85fe4012569ad57742b80c145206050796..0457300e072f6ac02985955af7303536279b83ab 100644
--- a/public/property.te
+++ b/public/property.te
@@ -101,6 +101,12 @@ allow property_type tmpfs:filesystem associate;
 ### Neverallow rules
 ###
 
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
 # core_property_type should not be used for new properties or
 # device specific properties. Properties with this attribute
 # are readable to everyone, which is overly broad and should
diff --git a/public/te_macros b/public/te_macros
index def7b4679fcca774513dde58647f5cf930bacc72..e756f36680e26aa8f6a77cbc947e6af43a7ea235 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -323,7 +323,7 @@ get_prop($1, $2)
 # targetproperty.
 #
 define(`get_prop', `
-allow $1 $2:file r_file_perms;
+allow $1 $2:file { getattr open read map };
 ')
 
 #####################################