diff --git a/private/genfs_contexts b/private/genfs_contexts
index d1e1b91f2cfb93466291dfc97a76c8173a0faa2a..e84b49433d05cf94be8d03c296b388e6474fb93c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -6,6 +6,7 @@ genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0
 genfscon proc /iomem u:object_r:proc_iomem:s0
 genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index cba0161c2c6800feab3dfe8b04c2dff45c4ad342..cd3f32beed483ed2b80f3bac3328eb891e1347eb 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -31,3 +31,7 @@ create_pty(untrusted_app_25)
 # b/34115651 - net.dns* properties read
 # This will go away in a future Android release
 get_prop(untrusted_app_25, net_dns_prop)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 5cbc75a571ca7447b006adbe6660a03b38044949..6aecab48f42d8c7f093ae4c2b556379bb5de55a9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -16,6 +16,7 @@ type proc_cpuinfo, fs_type;
 type proc_interrupts, fs_type;
 type proc_iomem, fs_type;
 type proc_meminfo, fs_type;
+type proc_misc, fs_type;
 type proc_net, fs_type;
 type proc_stat, fs_type;
 type proc_sysrq, fs_type;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 9409947ab9e40a6bf030326b9321f021806d5ff8..29d730ce4623d0f6bcbf53ff96905685d50f167b 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,10 @@ allow update_engine_common shell_exec:file rx_file_perms;
 allow update_engine_common postinstall:process { signal sigstop };
 
 # access /proc/misc
-allow update_engine proc:file r_file_perms;
+# Access is also granted to proc:file, but it is likely unneeded
+# due to the more specific grant to proc_misc immediately below.
+allow update_engine proc:file r_file_perms; # delete candidate
+allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;