diff --git a/seapp_contexts b/seapp_contexts
index 2049b8aa7be7f0403b0d2fad2693052df9b3d423..6c0a9a3e01790d889999757a1906b0afb6a0e457 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -3,6 +3,7 @@
# user (string)
# seinfo (string)
# name (string)
+# path (string)
# sebool (string)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
@@ -19,7 +20,8 @@
# (4) Longer user= prefix before shorter user= prefix.
# (5) Specified seinfo= string before unspecified seinfo= string.
# (6) Specified name= string before unspecified name= string.
-# (7) Specified sebool= string before unspecified sebool= string.
+# (7) Specified path= string before unspecified path= string.
+# (8) Specified sebool= string before unspecified sebool= string.
#
# Outputs:
# domain (string)
@@ -41,6 +43,7 @@ user=_app domain=untrusted_app type=app_data_file levelFrom=none
user=_app seinfo=platform domain=platform_app type=platform_app_data_file
user=_app seinfo=shared domain=shared_app type=platform_app_data_file
user=_app seinfo=media domain=media_app type=platform_app_data_file
+user=_app seinfo=media name=com.android.providers.downloads path=cache* type=download_file
user=_app seinfo=release domain=release_app type=platform_app_data_file
user=_isolated domain=isolated_app
user=shell domain=shell type=shell_data_file
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 19e2ab28b14b03e6cd307ff5e47893b61d6a7b0c..e5108e3f7a3ff2e36a9c1c27b619f78b4c066f53 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -160,6 +160,7 @@ key_map rules[] = {
{ .name = "user", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "seinfo", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "name", .type = dt_string, .dir = dir_in, .data = NULL },
+ { .name = "path", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "sebool", .type = dt_string, .dir = dir_in, .data = NULL },
/*Outputs*/
{ .name = "domain", .type = dt_string, .dir = dir_out, .data = NULL },