diff --git a/private/domain.te b/private/domain.te
index 6ca859a97bcce8c26849b1cdcf9d2fcedcbd80b9..614e4c71f26b50ca7270b0119ca945039da7cd0b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -105,7 +105,8 @@ full_treble_only(`
     -adbd
     -init
     -mediaprovider
-  }functionfs:file no_rw_file_perms;
+    -system_server
+  } functionfs:file no_rw_file_perms;
 
   # usbfs and binfmt_miscfs
   neverallow {
diff --git a/private/system_server.te b/private/system_server.te
index de2e3fea300841dd5cf7dadee810aa8c6ee2445d..a512e5d26e01dd986c611be27f6b63482a58b9c2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -761,6 +761,10 @@ userdebug_or_eng(`
   allow system_server mediaextractor_update_service:service_manager find;
 ')
 
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
 ###
 ### Neverallow rules
 ###