diff --git a/access_vectors b/access_vectors
index 65b7e2226a9bb0d220661603062d507ad3c8fbf7..e79ad1b80e87d8d06da32d303684777da4eb0410 100644
--- a/access_vectors
+++ b/access_vectors
@@ -910,6 +910,7 @@ class keystore_key
 	sync_uid
 	password_uid
 	add_auth
+	user_changed
 }
 
 class debuggerd
diff --git a/system_app.te b/system_app.te
index 407b85e7de9f4b8309a8cd3dd2fdf07afb1e0327..811f4367be1c2fcd1feec98ffb3e7f7b45ef51cf 100644
--- a/system_app.te
+++ b/system_app.te
@@ -73,6 +73,7 @@ allow system_app keystore:keystore_key {
 	grant
 	duplicate
 	clear_uid
+	user_changed
 };
 
 control_logd(system_app)
diff --git a/system_server.te b/system_server.te
index d225b7c862334c02cc968bbdf3f8ab90316e7aed..961ad867703aa826f3b0edf69ee3854e4cd4c552 100644
--- a/system_server.te
+++ b/system_server.te
@@ -393,6 +393,7 @@ allow system_server keystore:keystore_key {
 	sync_uid
 	password_uid
 	add_auth
+	user_changed
 };
 
 # Allow system server to search and write to the persistent factory reset