diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 2a32f141e0ada50d603c5d67465582d4c7dd1244..86282d508b9eb40347bd54bc93959fd09660a346 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -447,7 +447,20 @@
 (typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
 (typeattributeset print_service_26_0 (print_service))
 (typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_asound proc_cmdline proc_filesystems proc_kmsg proc_loadavg proc_mounts proc_pagetypeinfo proc_swaps proc_uid_time_in_state proc_version proc_vmallocinfo))
+(typeattributeset proc_26_0
+  ( proc
+    proc_asound
+    proc_cmdline
+    proc_filesystems
+    proc_kmsg
+    proc_loadavg
+    proc_mounts
+    proc_pagetypeinfo
+    proc_random
+    proc_swaps
+    proc_uid_time_in_state
+    proc_version
+    proc_vmallocinfo))
 (typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
 (typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
 (typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
@@ -568,6 +581,7 @@
   ( sysfs
     sysfs_android_usb
     sysfs_dm
+    sysfs_dt_firmware_android
     sysfs_ipv4
     sysfs_net
     sysfs_power
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 7bf252dc1fafb8bed538a4bb64600c87b9cb3f92..124da42a3f75022d1b7f532d98875a25b9ea2dc9 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -33,6 +33,7 @@ genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
@@ -73,6 +74,7 @@ genfscon sysfs /devices/virtual/block/zram1/uevent    u:object_r:sysfs_zram_ueve
 genfscon sysfs /devices/virtual/misc/hw_random    u:object_r:sysfs_hwrandom:s0
 genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /power/state u:object_r:sysfs_power:s0
 genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
diff --git a/public/file.te b/public/file.te
index 39e35b40d184c3d55c4ad97bf50ea2f35627a40b..66ec285f4f04805bd09349b7cd3e55582d241e1c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -28,6 +28,7 @@ type proc_mounts, fs_type;
 type proc_net, fs_type;
 type proc_pagetypeinfo, fs_type;
 type proc_perf, fs_type;
+type proc_random, fs_type;
 type proc_stat, fs_type;
 type proc_swaps, fs_type;
 type proc_sysrq, fs_type;
@@ -49,6 +50,7 @@ type sysfs_uio, sysfs_type, fs_type;
 type sysfs_batteryinfo, fs_type, sysfs_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
 type sysfs_ipv4, fs_type, sysfs_type;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_hwrandom, fs_type, sysfs_type;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 0ce617b81ade45d07b70b3b699303be16eca1582..d6c20602be771d26ad67064ed67141118093c422 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -10,7 +10,7 @@ allow postinstall_dexopt self:capability { chown dac_override fowner setgid setu
 allow postinstall_dexopt postinstall_file:filesystem getattr;
 allow postinstall_dexopt postinstall_file:dir { getattr search };
 allow postinstall_dexopt postinstall_file:lnk_file read;
-allow postinstall_dexopt proc:file { getattr open read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
 allow postinstall_dexopt tmpfs:file read;
 
 # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
diff --git a/public/recovery.te b/public/recovery.te
index ee5f12576b884a3005171466c82bfd42692133a6..d0a39801240db557eb2a012c65ed81e5b931cf4b 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -135,8 +135,6 @@ recovery_only(`
   # This line seems suspect, as it should not really need to
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
-
-  allow recovery proc_cmdline:file r_file_perms;
 ')
 
 ###
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 4437ab7c0f3aed3e5234ad73f1c004114b0e41ce..dd2d7dd71236f65de44683b6362ea7ce731236bc 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -42,4 +42,4 @@ r_dir_file(uncrypt, rootfs)
 allow uncrypt proc_cmdline:file r_file_perms;
 
 # Read files in /sys
-r_dir_file(uncrypt, sysfs)
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
diff --git a/public/update_engine.te b/public/update_engine.te
index f67afc28d6db8e2d6f1611fdc4803febf806c04b..289d21680988ed904fc2e47bf722777ceb86d07f 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -40,12 +40,8 @@ allow update_engine ota_package_file:dir r_dir_perms;
 # Use Boot Control HAL
 hal_client_domain(update_engine, hal_bootctl)
 
-# access /proc/misc and /proc/sys/kernel/random/boot_id
-allow update_engine proc:file r_file_perms;
+# access /proc/misc
 allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
-
-# Read files in /sys
-r_dir_file(update_engine, sysfs)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 61d393a263a2cfc5335e5dc608587f031ab3d12d..e27590054d8405e3a43955419f9bbf2b946447ec 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -37,3 +37,10 @@ allow update_engine_common shell_exec:file rx_file_perms;
 
 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/cmdline and /proc/sys/kernel/random/
+allow update_engine_common proc_cmdline:file r_file_perms;
+r_dir_file(update_engine_common, proc_random)
+
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)