diff --git a/device.te b/device.te
index 4d2dea36e8d05fbb520907b0ed05ad9d124d6118..cb15eeb9839890b4aac73e47e4ed1566fb7f3e0f 100644
--- a/device.te
+++ b/device.te
@@ -38,6 +38,7 @@ type video_device, dev_type;
 type vcs_device, dev_type;
 type zero_device, dev_type;
 type fuse_device, dev_type;
+type ion_device, dev_type;
 
 # All devices have a uart for the hci
 # attach service. The uart dev node
diff --git a/file_contexts b/file_contexts
index fa22c87771aed9d5938636771f75c65e99dcbf30..72c95a530048bf660fee64e9f6d510ed04986ef4 100644
--- a/file_contexts
+++ b/file_contexts
@@ -28,6 +28,7 @@
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
 /dev/input(/.*)		u:object_r:input_device:s0
+/dev/ion		u:object_r:ion_device:s0
 /dev/kmem		u:object_r:kmem_device:s0
 /dev/log(/.*)?		u:object_r:log_device:s0
 /dev/mem		u:object_r:kmem_device:s0
diff --git a/mediaserver.te b/mediaserver.te
index 16bbefa21d0684520e78a5706bc7d4d39277aafc..8236c7934ab3ac51e2ec8e649277f06ae73b96bb 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -24,3 +24,4 @@ allow mediaserver qemu_device:chr_file rw_file_perms;
 allow mediaserver sysfs:file rw_file_perms;
 # XXX Why?
 allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver ion_device:chr_file rw_file_perms;