diff --git a/access_vectors b/access_vectors
index 1b26bce963052d660b498361431800437c16723a..659fb3632ca12ab1245e6f11bdcd620826090777 100644
--- a/access_vectors
+++ b/access_vectors
@@ -921,3 +921,14 @@ class debuggerd
 	dump_tombstone
 	dump_backtrace
 }
+
+class drmservice {
+	consumeRights
+	setPlaybackStatus
+	openDecryptSession
+	closeDecryptSession
+	initializeDecryptUnit
+	decrypt
+	finalizeDecryptUnit
+	pread
+}
diff --git a/drmserver.te b/drmserver.te
index 19931766ebe29f59c223cdcb4c7f40258168e29a..1d6b07552ae142cf1fe456c647d076aff31d31b6 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -46,3 +46,5 @@ allow drmserver asec_apk_file:file { read getattr };
 allow drmserver radio_data_file:file { read getattr };
 
 allow drmserver drmserver_service:service_manager add;
+
+selinux_check_access(drmserver)
diff --git a/mediaserver.te b/mediaserver.te
index 55d1f20531e05060078d7cc401f34da48d9ea5ae..ce3dc0d55094f6c9422a2c532dbab848ecb027ac 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -79,3 +79,15 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
 allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver mediaserver_service:service_manager add;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};
diff --git a/security_classes b/security_classes
index ca8f4689b3eb3fa91d8185abb58dc39e9f38f646..9cd3f1c392459bec24bcc4a5fbd27e47da602e1a 100644
--- a/security_classes
+++ b/security_classes
@@ -146,4 +146,5 @@ class keystore_key              # userspace
 # debuggerd service
 class debuggerd                 # userspace
 
+class drmservice                # userspace
 # FLASK
diff --git a/te_macros b/te_macros
index 7c1f6e5d87c9d07544fa7590e58db049ceed5b4b..fdcfe87dbeaa7de50848df304768c0b855929ce5 100644
--- a/te_macros
+++ b/te_macros
@@ -358,3 +358,13 @@ define(`use_keystore', `
   allow keystore $1:process getattr;
   binder_call($1, keystore)
 ')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+  allow drmserver $1:dir search;
+  allow drmserver $1:file { read open };
+  allow drmserver $1:process getattr;
+')