diff --git a/private/apexd.te b/private/apexd.te
index d7a31732f85526fb7fa9b60cdcb62c2733862d52..61e099bf9c8903301bbf2d32e1460c09e568224b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -43,6 +43,10 @@ allow apexd apex_mnt_dir:lnk_file create_file_perms;
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
+# Configure read-ahead of dm-verity devices
+allow apexd sysfs_dm:dir r_dir_perms;
+allow apexd sysfs_dm:file rw_file_perms;
+
 # Spawning a libbinder thread results in a dac_override deny,
 # /dev/cpuset/tasks is owned by system.
 #
@@ -50,5 +54,5 @@ allow apexd labeledfs:filesystem { mount unmount };
 dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index d20bc471049a14402ed9100345312d56e333a724..d3a60790babe8266d7eb83abdf864bf5d2126cf3 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,6 +81,12 @@ allow kernel media_rw_data_file:file create_file_perms;
 # Access to /data/misc/vold/virtual_disk.
 allow kernel vold_data_file:file { read write };
 
+# Allow the kernel to read APEX file descriptors and data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel apex_data_file:file read;
+
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
 # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed