diff --git a/private/system_server.te b/private/system_server.te
index 49bba86a5eb2581ed6551055cf959f57f99c891d..7104135792201d8fe59dcaf1c0b30dbd28c68188 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -941,6 +941,10 @@ allow system_server system_server_startup:fd use;
 allow system_server system_server_startup_tmpfs:file { read write map };
 allow system_server system_server_startup:unix_dgram_socket write;
 
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/public/apexd.te b/public/apexd.te
index 0f0f5ac569d3167c5164dff818f58aa628946998..f990879217cfbdf64c12f10f4c7b2a8b545812e0 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -6,8 +6,8 @@ binder_use(apexd)
 add_service(apexd, apex_service)
 set_prop(apexd, apexd_prop)
 
-neverallow { domain -init -apexd } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
 
 neverallow domain apexd:process ptrace;