diff --git a/private/priv_app.te b/private/priv_app.te
index bb7598e49e9b2cea243fc96e5a1a0d8f90c6d34e..065ea1ad373c392ae5261eb075a0e6f5366be6a7 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -82,6 +82,9 @@ r_dir_file(priv_app, sysfs_type)
 r_dir_file(priv_app, proc)
 r_dir_file(priv_app, rootfs)
 
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
 # access the mac address
 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
 
diff --git a/public/recovery.te b/public/recovery.te
index 886f4fd4824f4fa2e827f9f5aadaf33e8188cac4..f0ac97dc44bba8e886248f021df1cc6994f1f1d6 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -51,6 +51,9 @@ recovery_only(`
   # Write to /proc/sys/vm/drop_caches
   allow recovery proc_drop_caches:file w_file_perms;
 
+  # Read kernel config through libvintf for OTA matching
+  allow recovery config_gz:file { open read getattr };
+
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
   allow recovery sysfs:file w_file_perms;