diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index f82e05deb..414b39f48 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -4,7 +4,7 @@ type linkerconfig_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(linkerconfig)
 
 ## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir rw_dir_perms;
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
 allow linkerconfig linkerconfig_file:file create_file_perms;
 
 # Allow linkerconfig to log to the kernel.
@@ -13,4 +13,7 @@ allow linkerconfig kmsg_device:chr_file w_file_perms;
 # Allow linkerconfig to be invoked with logwrapper from init.
 allow linkerconfig devpts:chr_file { read write };
 
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
 neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;