diff --git a/installd.te b/installd.te
index 68a0d068cf96364d8a621867cd0280cb64687036..db7653136c0de9ae0f8e74862b65126ea1050109 100644
--- a/installd.te
+++ b/installd.te
@@ -16,7 +16,8 @@ allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd system_file:file x_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd download_file:dir { read getattr };
+allow installd download_file:dir { r_dir_perms };
+allow installd download_file:file { r_file_perms };
 dontaudit installd self:capability sys_admin;
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
diff --git a/netd.te b/netd.te
index db2f480a8e0cb0d90635a8774e5581c063572146..938fc686b3a0f310d6d9f644154a89f2cf68fb61 100644
--- a/netd.te
+++ b/netd.te
@@ -3,7 +3,7 @@ type netd, domain;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:capability { net_admin net_raw kill fsetid };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;
diff --git a/vold.te b/vold.te
index c41cc72134c3d3deec73785da2387531d4e0570c..25e586acc91ffd7f759ff2ca85d99c625394cd4b 100644
--- a/vold.te
+++ b/vold.te
@@ -27,7 +27,7 @@ allow vold dm_device:chr_file rw_file_perms;
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace };
+allow vold self:capability { sys_ptrace kill };
 
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
@@ -57,6 +57,7 @@ allow vold kernel:process setsched;
 # Property Service
 allow vold vold_prop:property_service set;
 allow vold powerctl_prop:property_service set;
+allow vold ctl_default_prop:property_service set;
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;
diff --git a/zygote.te b/zygote.te
index 11a767f31a3460c28cbfec262defd98c665e012f..5d1f489ede2630012bb94342b1f41454fcb80859 100644
--- a/zygote.te
+++ b/zygote.te
@@ -44,3 +44,10 @@ allow zygote labeledfs:filesystem remount;
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file { execute_no_trans open };
+
+# handle bugreports b/10498304
+allow zygote ashmem_device:chr_file execute;
+allow zygote init:binder call;
+allow zygote shell_data_file:file { write getattr };
+allow zygote system_server:binder { transfer call };
+allow zygote servicemanager:binder { call };