diff --git a/public/vdc.te b/public/vdc.te
index 53d7bbe2cf7a099955b962e6a4d1728eee87418d..75a5d1b8a32f2e8ac818d5569ba4b79da6d60769 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -8,16 +8,20 @@
 type vdc, domain;
 type vdc_exec, exec_type, file_type;
 
+# TODO: remove as part of 13758960
 unix_socket_connect(vdc, vold, vold)
 
 # vdc sends information back to dumpstate when "adb bugreport" is used
+# TODO: remove as part of 13758960
 allow vdc dumpstate:fd use;
 allow vdc dumpstate:unix_stream_socket { read write getattr };
 
 # vdc information is written to shell owned bugreport files
+# TODO: remove as part of 13758960
 allow vdc shell_data_file:file { write getattr };
 
 # Why?
+# TODO: remove as part of 13758960
 allow vdc dumpstate:unix_dgram_socket { read write };
 
 # vdc can be invoked with logwrapper, so let it write to pty
@@ -25,3 +29,8 @@ allow vdc devpts:chr_file rw_file_perms;
 
 # vdc writes directly to kmsg during the boot process
 allow vdc kmsg_device:chr_file w_file_perms;
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;
diff --git a/public/vold.te b/public/vold.te
index b2ffbd3569265dfe6375ba8aa7e0b48a38a21f5f..a74354afd2bbbfa3e6ed13c0c11321a5700a77ef 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -198,8 +198,8 @@ neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
-# Only system_server can interact with vold over binder
-neverallow { domain -system_server -vold } vold_service:service_manager find;
+# Only system_server and vdc can interact with vold over binder
+neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
 neverallow vold {
   domain
   -hal_keymaster