diff --git a/private/service_contexts b/private/service_contexts
index 5fd87dc06adc9e07898bcecea0e55246be09f688..8be98e95ea4557e35cd07bf934001d1367ae6c84 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -66,6 +66,7 @@ iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
 ims                                       u:object_r:radio_service:s0
 imms                                      u:object_r:imms_service:s0
+ipsec                                     u:object_r:ipsec_service:s0
 isms_msim                                 u:object_r:radio_service:s0
 isms2                                     u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0
diff --git a/public/netd.te b/public/netd.te
index 81f4af42bd3a8f57e7d7960601ee4df21a8cede8..35d9b7cee797e1fecd0f33a2a8fd8b7feb8e823c 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -80,6 +80,9 @@ allow netd netdomain:{
 } { read write getattr setattr getopt setopt };
 allow netd netdomain:fd use;
 
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/service.te b/public/service.te
index 478b00eb1d2b1a170020fa7169f9fb32641eec6a..909b96ae22357f322a9abb6a0b47c4a64530f086 100644
--- a/public/service.te
+++ b/public/service.te
@@ -79,6 +79,7 @@ type hdmi_control_service, system_api_service, system_server_service, service_ma
 type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;