diff --git a/private/system_server.te b/private/system_server.te
index 54f016cb8c95fe79fbf4c59bfee29f5371022ba7..57f9b8be3296acf28f53b92815b4d0c03172f934 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -78,6 +78,9 @@ allow system_server self:global_capability2_class_set wake_alarm;
 # Create and share netlink_netfilter_sockets for tetheroffload.
 allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 
+# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
+allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;