diff --git a/public/dumpstate.te b/public/dumpstate.te
index 42d929049a87a727a3aa55833821f4ecfdb1733e..a814f16ba5af03af913e4b85df24a02bac078f1a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@ control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
 # Read files in /proc
+allow dumpstate proc_cmdline:file r_file_perms;
 allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
 allow dumpstate proc_pagetypeinfo:file r_file_perms;
@@ -198,6 +199,16 @@ allow dumpstate {
   -vold_service
   -vr_hwc_service
 }:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+  dumpstate_service
+  gatekeeper_service
+  incident_service
+  virtual_touchpad_service
+  vold_service
+  vr_hwc_service
+}:service_manager find;
+
 allow dumpstate servicemanager:service_manager list;
 allow dumpstate hwservicemanager:hwservice_manager list;
 
diff --git a/public/shell.te b/public/shell.te
index fb650bf92831be9c109b844abda8cf737cfe2a71..44d81213049ff83c79c158aaaab042be9d8f4c0c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -106,12 +106,13 @@ allow shell dumpstate:binder call;
 hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;
 
-# allow shell to look through /proc/ for ps, top, netstat
+# allow shell to look through /proc/ for lsmod, ps, top, netstat.
 r_dir_file(shell, proc)
 r_dir_file(shell, proc_net)
 allow shell proc_filesystems:file r_file_perms;
 allow shell proc_interrupts:file r_file_perms;
 allow shell proc_meminfo:file r_file_perms;
+allow shell proc_modules:file r_file_perms;
 allow shell proc_stat:file r_file_perms;
 allow shell proc_timer:file r_file_perms;
 allow shell proc_zoneinfo:file r_file_perms;