diff --git a/private/incidentd.te b/private/incidentd.te
index b806f6e69..45499fc03 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -128,10 +128,18 @@ unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
 # Run a shell.
 allow incidentd shell_exec:file rx_file_perms;
 
+# For running am, incident-helper-cmd and similar framework commands.
+# Run /system/bin/app_process.
+allow incidentd zygote_exec:file { rx_file_perms };
+
 # logd access - work to be done is a PII safe log (possibly an event log?)
 userdebug_or_eng(`read_logd(incidentd)')
 # TODO control_logd(incidentd)
 
+# Access /data/misc/logd
+allow incidentd misc_logd_file:dir r_dir_perms;
+allow incidentd misc_logd_file:file r_file_perms;
+
 # Allow incidentd to find these standard groups of services.
 # Others can be whitelisted individually.
 allow incidentd {
diff --git a/private/logpersist.te b/private/logpersist.te
index 6f6ab5056..ac324df88 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -24,6 +24,6 @@ neverallow logpersist {
   userdebug_or_eng(`-misc_logd_file -coredump_file')
   with_native_coverage(`-method_trace_data_file')
 }:file { create write append };
-neverallow { domain -init -dumpstate userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
 neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
 neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };