diff --git a/private/system_server.te b/private/system_server.te
index 8a0fb8eee1661735f095b8a5b3da1271106e4ca0..42a89d421461a9c5c2120e4dd4275d28be452b16 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -740,7 +740,8 @@ userdebug_or_eng(`
 # For AppFuse.
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:file { read write getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };
diff --git a/public/app.te b/public/app.te
index 63fc388801e605df0a67fc79a34468e52b867550..7f0d5548ec3bb68e474adf52621c4a25acef7ce4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,9 +55,6 @@ allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 
-# For AppFuse.
-allow appdomain vold:fd use;
-
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 
diff --git a/public/vold.te b/public/vold.te
index 236604fa0684241cffdb3ad1919e5b53a8b1fb4f..9091b69ad21c9c15cdd7a6844e39f204c38999c9 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -229,8 +229,6 @@ allow vold fuse_device:chr_file rw_file_perms;
 allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
 
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;