diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1e3977a35255fb33b97b8eeefb6529b277deb7dd..1a8c53663497820576905bc1d287c9662ff55925 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -15,6 +15,7 @@
     apex_service
     apexd
     apexd_exec
+    apexd_prop
     apexd_tmpfs
     atrace
     binder_calls_stats_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index af805dfe2fd6c85e5bf5095fcc18bda4370350b4..4e42041b3d845056f14fb59300056f6fdc4e87b7 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,7 @@
     apex_service
     apexd
     apexd_exec
+    apexd_prop
     apexd_tmpfs
     atrace
     binder_calls_stats_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6c9fbee98dff6c79db662f430f0cb7f4341f7bb7..25e95c7949c69d4cef8781c122bfa18a6b9087a4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -14,6 +14,7 @@
     apex_service
     apexd
     apexd_exec
+    apexd_prop
     apexd_tmpfs
     biometric_service
     ;; TODO(b/116344577): remove after the issue is resolved
diff --git a/public/apexd.te b/public/apexd.te
index 73daf388b0bc812163c680d925f6de142d371cbe..0f0f5ac569d3167c5164dff818f58aa628946998 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -4,8 +4,12 @@ type apexd_exec, exec_type, file_type, system_file_type;
 
 binder_use(apexd)
 add_service(apexd, apex_service)
+set_prop(apexd, apexd_prop)
 
 neverallow { domain -init -apexd } apex_service:service_manager find;
 neverallow { domain -init -apexd } apexd:binder call;
 
 neverallow domain apexd:process ptrace;
+
+# only apexd can set apexd sysprop
+neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 66e823afa120b734cd8acdc69ec57f139dcfd810..d903e002159588eed6506d6b71063c69a582721e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,3 +1,4 @@
+type apexd_prop, property_type;
 type audio_prop, property_type, core_property_type;
 type boottime_prop, property_type;
 type bluetooth_a2dp_offload_prop, property_type;
@@ -330,6 +331,7 @@ compatible_property_only(`
     -system_writes_vendor_properties_violators
   } {
     property_type
+    -apexd_prop
     -audio_prop
     -bluetooth_a2dp_offload_prop
     -bluetooth_prop
diff --git a/public/property_contexts b/public/property_contexts
index d58b1d4ee9fd02f228954d06514b7c17d85b2d83..5a24274d6c1256cfbdfd381a96db376f298db1db 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -150,6 +150,7 @@ vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
 wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
 
 # vendor-init-readable
+apexd.status u:object_r:apexd_prop:s0 exact enum starting ready
 dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
 persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
 sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c9aa0f2113fe72194c5b5b478c377e7162a61a69..bbfd4184d48f0b413afaaa464ad1794d963f6d9a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -181,6 +181,7 @@ not_compatible_property(`
       -system_boot_reason_prop
       -bootloader_boot_reason_prop
       -last_boot_reason_prop
+      -apexd_prop
     })
 ')