diff --git a/private/service_contexts b/private/service_contexts
index a65cb01a23b8823bb1f6483d3248c3a75d89f7d5..943cdeeaab95a1827b390809f32c42b23e36d9f8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@ iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
+ipsec                                     u:object_r:ipsec_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0
diff --git a/public/netd.te b/public/netd.te
index 939d714f9bddb67fd97df4621aad19daed3254df..3a48cd389e26dec11f792f36fb4f7ce3964a2b27 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -83,6 +83,9 @@ allow netd netdomain:{
 } { read write getattr setattr getopt setopt };
 allow netd netdomain:fd use;
 
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/service.te b/public/service.te
index 91723534b18702da94fc80def93d9dee40af4d0b..96a692ac2b5f52728a62106478a65d443358171c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -81,6 +81,7 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
 type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;