diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
index 709e80aca4174b634db6fa1985f2af6ad68aefc8..d8c328d808a6041ef8d4b51bd2e13bf594ad236b 100644
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ b/prebuilts/api/26.0/26.0.ignore.cil
@@ -13,6 +13,7 @@
     kmsg_debug_device
     mediaprovider_tmpfs
     netd_stable_secret_prop
+    package_native_service
     sysfs_fs_ext4_features
     system_net_netd_hwservice
     thermal_service
diff --git a/private/service_contexts b/private/service_contexts
index 1cb7c58dcb5a8bc9ce959f838919e5008675fc3a..a82243ffb8423229b51adfea67bf75cd9ba777b5 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -108,6 +108,7 @@ oem_lock                                  u:object_r:oem_lock_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
 overlay                                   u:object_r:overlay_service:s0
 package                                   u:object_r:package_service:s0
+package_native                            u:object_r:package_native_service:s0
 permission                                u:object_r:permission_service:s0
 persistent_data_block                     u:object_r:persistent_data_block_service:s0
 phone_msim                                u:object_r:radio_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index d5abd7314f55d6218276059865d1b1fb6ebb2985..20377e046d382daac107fa792ba5329231c09d20 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -43,6 +43,9 @@ binder_call(storaged, healthd)
 # Implements a dumpsys interface.
 allow storaged dumpstate:fd use;
 
+# use a subset of the package manager service
+allow storaged package_native_service:service_manager find;
+
 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
 dontaudit storaged self:capability dac_override;
diff --git a/public/service.te b/public/service.te
index a4a420f0e1d58eb98d7d7862f236c8dcb98170b6..e97b864db39d4a3c4d978fc6e660b18137abf384 100644
--- a/public/service.te
+++ b/public/service.te
@@ -102,6 +102,7 @@ type oem_lock_service, system_api_service, system_server_service, service_manage
 type otadexopt_service, system_server_service, service_manager_type;
 type overlay_service, system_api_service, system_server_service, service_manager_type;
 type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type package_native_service, system_server_service, service_manager_type;
 type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
 type pinner_service, system_server_service, service_manager_type;