diff --git a/keystore.te b/keystore.te
index bb2e9d89160487f83f8ebf0c5199daa837d6860a..3d7bd9210b975075af517797d6a9b78c5b8d0ae6 100644
--- a/keystore.te
+++ b/keystore.te
@@ -6,6 +6,7 @@ init_daemon_domain(keystore)
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, system_server)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
@@ -13,6 +14,7 @@ allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;
 
 allow keystore keystore_service:service_manager { add find };
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
 
 # Check SELinux permissions.
 selinux_check_access(keystore)
diff --git a/service.te b/service.te
index c65272d86b32553f1a8c2e7c3497cc1e64e18b36..50aef266f1390c60515406e3160643bee8a62e3b 100644
--- a/service.te
+++ b/service.te
@@ -96,6 +96,7 @@ type rttmanager_service, app_api_service, system_server_service, service_manager
 type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, system_server_service, service_manager_type;
 type search_service, app_api_service, system_server_service, service_manager_type;
+type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
 type sensorservice_service, app_api_service, system_server_service, service_manager_type;
 type serial_service, system_api_service, system_server_service, service_manager_type;
 type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index b73552931583e891346e99ce0a54ae9fc0df7173..c0dfd2be485d81047ef00c53429bff3c5ca6f131 100644
--- a/service_contexts
+++ b/service_contexts
@@ -94,6 +94,7 @@ nfc                                       u:object_r:nfc_service:s0
 notification                              u:object_r:notification_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
 package                                   u:object_r:package_service:s0
+sec_key_att_app_id_provider               u:object_r:sec_key_att_app_id_provider_service:s0
 permission                                u:object_r:permission_service:s0
 persistent_data_block                     u:object_r:persistent_data_block_service:s0
 phone_msim                                u:object_r:radio_service:s0