diff --git a/public/app.te b/public/app.te
index 12a9b81c501e23acb7af85828ecba1270a1d613f..3de24fbab3f25f1f4c221f5d372f5ded2af97a49 100644
--- a/public/app.te
+++ b/public/app.te
@@ -124,16 +124,16 @@ allow appdomain vendor_public_lib_file:file { execute read open getattr map };
 allow appdomain dex2oat_exec:file rx_file_perms;
 
 # Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
 
 # Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
 
 # Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
 
 # Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
 
 # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
 #
@@ -231,12 +231,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
 allow appdomain cache_backup_file:dir getattr;
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
 
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 75a3018bed34ead7dceaa8dafabb5f1487a30af7..2e96352fc6a4e1151a757cf95269a1398e724734 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file)
 r_dir_file(dex2oat, vendor_app_file)
 # Access /vendor/framework
 allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
 
-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
 
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock;
 # Read already open asec_apk_file file descriptors passed by installd.
 # Also allow reading unlabeled files, to allow for upgrading forward
 # locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
 allow dex2oat apk_tmp_file:dir search;
 allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
 
 # Allow dex2oat to compile app's secondary dex files which were reported back to
 # the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock };
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
 
 ##################
 # A/B OTA Dexopt #
diff --git a/public/drmserver.te b/public/drmserver.te
index 1a675bebae852783ceb15d3d50b9882a41b461bd..23ba9a6d77962a24b3f6ab59f39ef7639dc9d867 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
 r_dir_file(drmserver, efs_file)
 
 type drmserver_socket, file_type;
@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink;
 r_dir_file(drmserver, media_rw_data_file)
 
 # Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
 
 # Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
 
 # /oem access
 allow drmserver oemfs:dir search;
diff --git a/public/init.te b/public/init.te
index aa51a2f2862fac0c2b58f9505b2d08e9973ce0c1..5db0ab3bdec83abae66446b2e0979325b44df604 100644
--- a/public/init.te
+++ b/public/init.te
@@ -180,7 +180,7 @@ allow init {
   -system_file
   -vendor_file_type
   -vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow init {
   file_type
diff --git a/public/te_macros b/public/te_macros
index 5c1eeeacedaaba692137a60045f62bb353133925..febfe557fa3c5deaeafc07bf8919bf5910b9a19c 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -358,7 +358,7 @@ allow $1 hwservicemanager:binder { call transfer };
 allow hwservicemanager $1:binder { call transfer };
 # hwservicemanager performs getpidcon on clients.
 allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
 allow hwservicemanager $1:process getattr;
 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to
 # all domains in domain.te.
@@ -374,7 +374,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms;
 allow $1 vndservicemanager:binder { call transfer };
 # vndservicemanager performs getpidcon on clients.
 allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
 allow vndservicemanager $1:process getattr;
 ')