diff --git a/public/domain.te b/public/domain.te
index d2b370a21b244e639d80b16f2bd29c7ae74554cd..acbae692528333aec2b61b21d6c0bf7cbb02cec2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -691,6 +691,7 @@ full_treble_only(`
         -installd
         -postinstall_dexopt
         -system_server
+        -mediaserver
     } vendor_app_file:{ file lnk_file } r_file_perms;
 
     # Limit access to /vendor/overlay
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6efaf0fdf4d640578345f64472a46eb1872796b9..93783fb3179c9db9f166b9db7cb4d76568ab3287 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -102,6 +102,9 @@ allow mediaserver hidl_token_hwservice:hwservice_manager find;
 allow mediaserver oemfs:dir search;
 allow mediaserver oemfs:file r_file_perms;
 
+# /vendor apk access
+allow mediaserver vendor_app_file:file r_file_perms;
+
 use_drmservice(mediaserver)
 allow mediaserver drmserver:drmservice {
     consumeRights