diff --git a/private/app.te b/private/app.te
index c3f44ddb9d8d3ec0bed7e12ad8879d3b137fc8a3..d6dc48cbbc1acde5f099584887a94611121f16f3 100644
--- a/private/app.te
+++ b/private/app.te
@@ -177,6 +177,9 @@ binder_call(appdomain, ephemeral_app)
 # TODO(b/34454312): only allow getting and talking to mediacodec service
 hwbinder_use(appdomain)
 
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
diff --git a/private/system_server.te b/private/system_server.te
index 2711a8c1aeebbb06efc6183a54adb993380718cf..e200bef2d8ccfa0e04197a7df072c0d66f9dcce9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -199,6 +199,9 @@ hal_client_domain(system_server, hal_wifi)
 
 hal_client_domain(system_server, hal_wifi_supplicant)
 
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
 # Talk to tombstoned to get ANR traces.
 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
 
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 46083f5cc8e554ceeac6c25396f50eec0f4c3e68..2a243cc5ed20c67b1f8c8f4660ff735a6ec156e5 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -14,6 +14,9 @@ hal_client_domain(cameraserver, hal_graphics_allocator)
 
 allow cameraserver ion_device:chr_file rw_file_perms;
 
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
 add_service(cameraserver, cameraserver_service)
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;