diff --git a/private/app.te b/private/app.te
index ffe6598d6544004dbbb39d8aae994bea55a803fc..876406ffe529664f4c55295a7672902bb954d073 100644
--- a/private/app.te
+++ b/private/app.te
@@ -23,3 +23,6 @@ neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain -crash_dump -rs }:process { transition };
neverallow { appdomain -shell userdebug_or_eng(`-su') }
{ domain -appdomain }:process { dyntransition };
+
+# Disallow apps from using IP memory store
+neverallow { appdomain -shell } ipmemorystore_service:service_manager *;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 91724c07949c465f14839afd37660cc304640719..351ed54ebadae7f52d7735661b22e27d9a9b02e0 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -102,6 +102,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
kmsg_debug_device
last_boot_reason_prop
llkd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index ff1c8578189c254b8d37252f07f0e31f70110943..da1eaa9deaedf0339c8b009d155f11a50f15eca5 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -93,6 +93,7 @@
iorapd_exec
iorapd_service
iorapd_tmpfs
+ ipmemorystore_service
last_boot_reason_prop
llkd
llkd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 4f9a65724c6a58a74400bc006a61a965ab7f0be6..45b3aa1f5c6ae008f60a18c914071b791f491232 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -47,6 +47,7 @@
heapprofd_prop
heapprofd_socket
idmap_service
+ ipmemorystore_service
iris_service
iris_vendor_data_file
llkd
diff --git a/private/service_contexts b/private/service_contexts
index 47604529ff27411b2cc179c4433b437d4c0c87fd..34e4c543f0fef07b77d3e9ed3bdd4f343b3f1cbc 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -82,6 +82,7 @@ iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
ims u:object_r:radio_service:s0
imms u:object_r:imms_service:s0
+ipmemorystore u:object_r:ipmemorystore_service:s0
ipsec u:object_r:ipsec_service:s0
iris u:object_r:iris_service:s0
isms_msim u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index ed19b82f54348a71e5fe9292b5317928ff68bd1c..39af1e6352bd178b593d3da5c727d2603130a3de 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -74,6 +74,7 @@ allow system_app {
-dumpstate_service
-installd_service
-iorapd_service
+ -ipmemorystore_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/service.te b/public/service.te
index b21de1d33fa4bb24ab2d3aa9bb32dcf61d238144..c926490f8b1221933e619a2f9b441de2a8d15db3 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipmemorystore_service, system_server_service, service_manager_type;
type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index aea13ef708bb42c650a80b4fd080eca42dd7540c..0bce885361f7019e11af88b4ff89c1e8fa9a4e1d 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@ allow traceur_app {
-gatekeeper_service
-incident_service
-installd_service
+ -ipmemorystore_service
-iorapd_service
-netd_service
-virtual_touchpad_service