diff --git a/public/domain.te b/public/domain.te
index 3a914d7b5fa5d9776a5f49d8d0e216cc10a47cca..1dc2a41df92effb9b219bea9ff6de36574391c0f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -953,6 +953,7 @@ full_treble_only(`
         userdebug_or_eng(`-perfprofd')
         -postinstall_dexopt
         -system_server
+        -mediaserver
     } vendor_app_file:file r_file_perms;
 ')
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index b20835a2555e44cd8b965c6b9458dc57e30dafd8..861d11d613691aeaceeb042d67b40048a4827037 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -95,6 +95,9 @@ allow mediaserver hidl_token_hwservice:hwservice_manager find;
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
     consumeRights