diff --git a/public/domain.te b/public/domain.te
index 5b50afd8a030108420c788806fa1f4b64dd376a6..31f21887de729c85b4594479c2186cdfc6e0b8f7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -955,6 +955,7 @@ full_treble_only(`
         userdebug_or_eng(`-perfprofd')
         -postinstall_dexopt
         -system_server
+        -mediaserver
     } vendor_app_file:file r_file_perms;
 ')
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index f0c94edc0ba89f2cd8c6ad55fa7b42db7b439070..e0fc76a5927b1e2354b1871c234e6c61300488a1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -99,6 +99,9 @@ allow mediaserver hidl_token_hwservice:hwservice_manager find;
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
     consumeRights