diff --git a/private/system_server.te b/private/system_server.te
index ae6d687ee96bdd0eb5ced45992fbaaef65287727..e183606d75096ce13ef594da318825a05e16b854 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -789,6 +789,13 @@ allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write sh
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
+# Allow system process to setup and measure fs-verity
+allowxperm system_server apk_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+# Allow system process to access the keyring.
+allow system_server kernel:key search;
+
 # Postinstall
 #
 # For OTA dexopt, allow calls coming from postinstall.
diff --git a/public/installd.te b/public/installd.te
index f21cef90912c35c72ee8fdde1625e19d80ed0b50..ccf28ec26de30aff1b4c2415a5a106b5599c2808 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -13,10 +13,11 @@ allow installd apk_data_file:dir { create_dir_perms relabelfrom };
 allow installd apk_data_file:file { create_file_perms relabelfrom link };
 allow installd apk_data_file:lnk_file { create r_file_perms unlink };
 
-# FS_IOC_ENABLE_VERITY and FS_IOC_SET_VERITY_MEASUREMENT ioctls
-# on APKs in /data/app, to support fsverity
+# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
+# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
+# TODO(b/120629632): this path is deprecated, remove when possible.
 allowxperm installd apk_data_file:file ioctl {
-  FS_IOC_ENABLE_VERITY FS_IOC_SET_VERITY_MEASUREMENT
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
 };
 
 allow installd asec_apk_file:file r_file_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index ab2f7c5543fd5a029a2a9fe10e832409b97d6f23..c5b412b2c4e62db4001607705ebb9d49711f8e5d 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -807,8 +807,8 @@ define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
 define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
 define(`FS_IOC_GETFLAGS', `0x80086601')
 define(`FS_IOC_GETVERSION', `0x80087601')
+define(`FS_IOC_MEASURE_VERITY', `0x6686')
 define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SET_VERITY_MEASUREMENT', `0x6686')
 define(`FS_IOC_SETFLAGS', `0x40086602')
 define(`FS_IOC_SETVERSION', `0x40087602')
 define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')