diff --git a/file.te b/file.te
index 3982a8d25e2ddf74a8c57470643e049ea77c25af..3201d5210fa81d9c7380bf2328181fd96eeac54e 100644
--- a/file.te
+++ b/file.te
@@ -90,6 +90,8 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/ota
 type ota_data_file, file_type, data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, mlstrustedobject;
 # /data/misc/profiles
 type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
 type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 010e64c89a1b7d4b4606a9c7d569d60b41af6234..14918f0afb14d53f054e2438315631f5e7ca2658 100644
--- a/file_contexts
+++ b/file_contexts
@@ -240,6 +240,7 @@
 /data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
 /data/adb(/.*)?		u:object_r:adb_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
diff --git a/priv_app.te b/priv_app.te
index d5de58bc49d3e3cac5dc841502cd648cbb7f8633..04a050936d29280ff2f32ba61da0104f50385d38 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -45,6 +45,10 @@ allow priv_app mnt_media_rw_file:dir search;
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
 
+# Write to /data/ota_package for OTA packages.
+allow priv_app ota_package_file:dir rw_dir_perms;
+allow priv_app ota_package_file:file create_file_perms;
+
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
diff --git a/uncrypt.te b/uncrypt.te
index 2ebde86a17a21b2aa03a629fdb43c6406d303d49..d2bad539cee99e50cae185a6839c3126ff5393c2 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -19,6 +19,10 @@ userdebug_or_eng(`
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
+# Read OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file r_file_perms;
+
 # Write to /dev/socket/uncrypt
 unix_socket_connect(uncrypt, uncrypt, uncrypt)
 
diff --git a/update_engine.te b/update_engine.te
index 33e81342a54ec6ea5ddbdcdc86b61fd7c8003329..c5786928e48d19c3bfe056f627d25ead461d5b6c 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -56,3 +56,7 @@ allow update_engine update_engine_service:service_manager { add };
 
 # Allow update_engine to call the callback function provided by priv_app.
 binder_call(update_engine, priv_app)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;