diff --git a/keystore.te b/keystore.te
index bb2e9d89160487f83f8ebf0c5199daa837d6860a..3d7bd9210b975075af517797d6a9b78c5b8d0ae6 100644
--- a/keystore.te
+++ b/keystore.te
@@ -6,6 +6,7 @@ init_daemon_domain(keystore)
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, system_server)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
@@ -13,6 +14,7 @@ allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;
 
 allow keystore keystore_service:service_manager { add find };
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
 
 # Check SELinux permissions.
 selinux_check_access(keystore)
diff --git a/service.te b/service.te
index d72d6552ac7d1a64ccfad98179bbbb3303a49858..d6d1110ff1e9f5a15a5d04e4c2492f615ef8b9d2 100644
--- a/service.te
+++ b/service.te
@@ -95,6 +95,7 @@ type rttmanager_service, app_api_service, system_server_service, service_manager
 type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, system_server_service, service_manager_type;
 type search_service, app_api_service, system_server_service, service_manager_type;
+type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
 type sensorservice_service, app_api_service, system_server_service, service_manager_type;
 type serial_service, system_api_service, system_server_service, service_manager_type;
 type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 2b7a1b113baea63ca315f8498b3cb128bcf6d1e8..ad836d77bdbd61440e02843c4c5257de34f3bf36 100644
--- a/service_contexts
+++ b/service_contexts
@@ -93,6 +93,7 @@ nfc                                       u:object_r:nfc_service:s0
 notification                              u:object_r:notification_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
 package                                   u:object_r:package_service:s0
+sec_key_att_app_id_provider               u:object_r:sec_key_att_app_id_provider_service:s0
 permission                                u:object_r:permission_service:s0
 persistent_data_block                     u:object_r:persistent_data_block_service:s0
 phone_msim                                u:object_r:radio_service:s0