diff --git a/system_server.te b/system_server.te
index 50c9d98b72bb34c781feac35b24490cce30d401f..96edd06e1f05053a0adcb5d61945b0dd3b97c3b7 100644
--- a/system_server.te
+++ b/system_server.te
@@ -241,6 +241,9 @@ allow system_server system_app_data_file:file create_file_perms;
 # Types extracted from seapp_contexts type= fields.
 allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write };
 
+# Receive and use open /data/media files passed over binder IPC.
+allow system_server media_rw_data_file:file { getattr read write };
+
 # Read /file_contexts and /data/security/file_contexts
 security_access_policy(system_server)