diff --git a/common/private/netd.te b/common/private/netd.te
new file mode 100644
index 0000000000000000000000000000000000000000..bc717188e6953f3d82af3fb69fad04a656d9e115
--- /dev/null
+++ b/common/private/netd.te
@@ -0,0 +1 @@
+allow netd platform_app:unix_stream_socket connectto;
diff --git a/common/private/platform_app.te b/common/private/platform_app.te
index 07183e7249bf2847ecbb03f89d3f60e5b56e32be..acbc62323978fb4330ba665e480d84ece5055165 100644
--- a/common/private/platform_app.te
+++ b/common/private/platform_app.te
@@ -9,3 +9,14 @@ hal_client_domain(platform_app, hal_lineage_livedisplay)
 
 # Allow PowerShare HAL service to be found
 hal_client_domain(platform_app, hal_lineage_powershare)
+
+# allow platform_app to create named pipes (used for realm support)
+allow platform_app fuse:fifo_file create;
+allow platform_app app_data_file:fifo_file create_file_perms;
+allow platform_app app_data_file:fifo_file open;
+allow platform_app rs_exec:file rx_file_perms;
+
+# Allow platform apps to execute files in /data
+allow platform_app app_data_file:file execute;
+
+allow platform_app app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
diff --git a/common/private/updater_app.te b/common/private/updater_app.te
index 657588ffba9200718ebf2a14f525e7906003141c..d1c50e039627b658f6f6677a4548268572a96761 100644
--- a/common/private/updater_app.te
+++ b/common/private/updater_app.te
@@ -9,6 +9,7 @@ binder_call(updater_app, update_engine)
 allow updater_app app_api_service:service_manager find;
 allow updater_app recovery_service:service_manager find;
 allow updater_app system_api_service:service_manager find;
+allow updater_app system_update_service:service_manager find;
 allow updater_app update_engine_service:service_manager find;
 
 allow updater_app app_data_file:dir create_dir_perms;