diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae657..c4f2cd9da 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,22 @@ allow virtualizationservice staging_data_file:dir search;
 # Run derive_classpath in our domain
 allow virtualizationservice derive_classpath_exec:file rx_file_perms;
 allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
 
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
 # Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
+allow virtualizationservice kvm_device:chr_file { open read write ioctl };
 allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
 
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
 neverallow {
   domain
   -init