diff --git a/public/domain.te b/public/domain.te
index f732676d57bd17e3746a5fae66c6b12119b58102..bbf4d687ccce55edaa1b17e0a6d086e39326297d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -108,6 +108,7 @@ auditallow {
   domain
   -appdomain
   -dex2oat
+  -dumpstate
   -recovery
   -zygote
 } libart_file:file { execute read open getattr };
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index b8ad83c5ae311966244914df2d7c510e75a6eb54..e6e827bd405b45ae7d5b2a6c00e968fb210f5070 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -62,8 +62,27 @@ auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } ap
 # Read /data/dalvik-cache.
 allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -init -installd -system_server -zygote } dalvikcache_data_file:dir { search getattr };
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -installd -system_server -zygote } dalvikcache_data_file:file r_file_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -debuggerd
+  -dex2oat
+  -dumpstate
+  -init
+  -installd
+  -system_server
+  -zygote
+} dalvikcache_data_file:dir { search getattr };
+auditallow {
+  domain_deprecated
+  -appdomain
+  -debuggerd
+  -dex2oat
+  -dumpstate
+  -installd
+  -system_server
+  -zygote
+} dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
 allow domain_deprecated cache_file:dir r_dir_perms;
@@ -100,7 +119,18 @@ auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputfli
 auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -clatd
+  -dumpstate
+  -init
+  -netd
+  -system_server
+  -vold
+  -wpa
+  -zygote
+} proc_net:{ file lnk_file } r_file_perms;
 
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 690e843c7684f66b2014f3127bba1b24b0b77d00..20f8bda9b9a9276a4b884303f95645b902d13f4d 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -118,7 +118,9 @@ allow dumpstate ashmem_device:chr_file execute;
 allow dumpstate dumpstate_tmpfs:file execute;
 allow dumpstate self:process execmem;
 # For art.
-allow dumpstate dalvikcache_data_file:file execute;
+allow dumpstate libart_file:file { r_file_perms execute };
+allow dumpstate dalvikcache_data_file:dir { search getattr };
+allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
 
 # For Bluetooth
@@ -133,6 +135,9 @@ allow dumpstate gpu_device:chr_file rw_file_perms;
 read_logd(dumpstate)
 control_logd(dumpstate)
 
+# Read /proc/net
+allow dumpstate proc_net:file r_file_perms;
+
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;