diff --git a/public/app.te b/public/app.te
index 064b25f16ee973065ee63298909e8234b0e461b0..77af57c8cc972fdc191f6f835d270520c66de489 100644
--- a/public/app.te
+++ b/public/app.te
@@ -154,6 +154,8 @@ binder_use(appdomain)
 binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 0f5b4b1238dd7c5988b033574618821e09ebe12f..bef547296e828dfd26e506f3ccd62b5da76cd9a8 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -54,6 +54,8 @@ binder_use(ephemeral_app)
 # Perform binder IPC to binder services.
 binder_call(ephemeral_app, surfaceflinger)
 binder_call(ephemeral_app, system_server)
+# Perform binder IPC to apps.
+binder_call(ephemeral_app, appdomain)
 
 # Allow read access to ion memory allocation device
 allow ephemeral_app ion_device:chr_file { read open };