diff --git a/app.te b/app.te
index fb1c8ed73ceb3ad43cf8e03ed6ea1d18e87f25de..eb9179369a6b741453f7d48c50ad128b5ded08e7 100644
--- a/app.te
+++ b/app.te
@@ -152,6 +152,30 @@ allow appdomain self:rawip_socket create_socket_perms;
 allow appdomain usb_device:chr_file { read write getattr ioctl };
 allow appdomain usbaccessory_device:chr_file { read write getattr };
 
+###
+### CTS-specific rules
+###
+
+# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java.
+# Reads /proc/pid/status and statm entries to check that
+# no unexpected root processes are running.
+# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java
+# Reads /proc/pid/cmdline of vold.
+allow appdomain domain:dir { open read search getattr };
+allow appdomain domain:{ file lnk_file } { open read getattr };
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
+# Check SELinux policy and contexts.
+selinux_check_access(appdomain)
+selinux_check_context(appdomain)
+# Validate that each process is running in the correct security context.
+allow appdomain domain:process getattr;
+
 ###
 ### Neverallow rules
 ###
@@ -204,7 +228,6 @@ neverallow { appdomain -unconfineddomain }
         netlink_tcpdiag_socket
         netlink_nflog_socket
         netlink_xfrm_socket
-        netlink_selinux_socket
         netlink_audit_socket
         netlink_ip6fw_socket
         netlink_dnrt_socket
@@ -313,8 +336,6 @@ neverallow { appdomain -unconfineddomain }
 # Write to various pseudo file systems.
 neverallow { appdomain -nfc -unconfineddomain }
     sysfs:dir_file_class_set write;
-neverallow { appdomain -system_app -unconfineddomain }
-    selinuxfs:dir_file_class_set write;
 neverallow { appdomain -unconfineddomain }
     proc:dir_file_class_set write;