diff --git a/private/system_server.te b/private/system_server.te
index 7c81c45c825afad2e812de555eaed9f10004da5b..7b0ddaab841b8ed7d9181b606437dba1a10d0679 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -78,6 +78,9 @@ allow system_server self:global_capability2_class_set wake_alarm;
 # Create and share netlink_netfilter_sockets for tetheroffload.
 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 
+# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
+allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;