diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 617291e1ff24ceb393d1480f98687918ebe85673..2caedda3e1db3a4b859a2461413689290456e17e 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -34,6 +34,7 @@
     heapprofd
     heapprofd_exec
     heapprofd_socket
+    idmap_service
     intelligence_service
     iris_service
     llkd
diff --git a/private/file_contexts b/private/file_contexts
index 6d64c9b651a2cbd79ceb688dd7bcdb1eb30ad050..282120ca21b094639e4d73fde1e6903c553138e7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -277,6 +277,7 @@
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
diff --git a/private/idmap.te b/private/idmap.te
index 73abf355291f7ad485f2e8013794a23a63c287df..c982783b97f2b151a37b3588e44bffc4d9c104e0 100644
--- a/private/idmap.te
+++ b/private/idmap.te
@@ -1 +1,3 @@
 typeattribute idmap coredomain;
+
+init_daemon_domain(idmap)
diff --git a/private/service_contexts b/private/service_contexts
index cdf65216118f29ac2f7b8f6af245421a0d3e6cd0..55c2a35227bbd5bfd6fc64b1796358d5ca6dcd5d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -67,6 +67,7 @@ hardware                                  u:object_r:hardware_service:s0
 hardware_properties                       u:object_r:hardware_properties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
 ians                                      u:object_r:radio_service:s0
+idmap                                     u:object_r:idmap_service:s0
 incident                                  u:object_r:incident_service:s0
 inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 01f02119a52aa2f4a595e5b423017f79958ef166..c2033dbbdad67d7bb97164d3a154babfba5c7b86 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -186,6 +186,7 @@ binder_call(system_server, binderservicedomain)
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
@@ -656,6 +657,7 @@ allow system_server fingerprintd_service:service_manager find;
 allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server gpu_service:service_manager find;
+allow system_server idmap_service:service_manager find;
 allow system_server incident_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
diff --git a/public/idmap.te b/public/idmap.te
index 0899faa2ad4c4e445052b4639182465724e3ae6d..d76558aee6b418b4dd69ef80a865717a617d1961 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,9 +2,11 @@
 type idmap, domain;
 type idmap_exec, system_file_type, exec_type, file_type;
 
+# STOPSHIP remove /system/bin/idmap and the link between idmap and installd (b/118711077)
 # Use open file to /data/resource-cache file inherited from installd.
 allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file { getattr read write };
+allow idmap resourcecache_data_file:file create_file_perms;
+allow idmap resourcecache_data_file:dir rw_dir_perms;
 
 # Ignore reading /proc/<pid>/maps after a fork.
 dontaudit idmap installd:file read;
@@ -18,3 +20,7 @@ r_dir_file(idmap, vendor_app_file)
 
 # Allow apps access to /vendor/overlay
 r_dir_file(idmap, vendor_overlay_file)
+
+# Allow the idmap2d binary to register as a service and communicate via AIDL
+binder_use(idmap)
+add_service(idmap, idmap_service)
diff --git a/public/service.te b/public/service.te
index 8024a78cca2f4ff4373eddbefe5465c70fc781e6..f6741805abb7263ebdffaed952a2494008a51d55 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@ type fingerprintd_service,      service_manager_type;
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
+type idmap_service,             service_manager_type;
 type iorapd_service,            service_manager_type;
 type inputflinger_service,      service_manager_type;
 type incident_service,          service_manager_type;