diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
index e713bc1ca4c59a333bb5082bf49fe086afccfb14..f027478dcfd865622a66cac5c1a35bc72697b608 100644
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ b/prebuilts/api/26.0/26.0.ignore.cil
@@ -13,6 +13,7 @@
     kmsg_debug_device
     mediaprovider_tmpfs
     netd_stable_secret_prop
+    package_native_service
     sysfs_fs_ext4_features
     system_net_netd_hwservice
     timezone_service
diff --git a/private/service_contexts b/private/service_contexts
index c6c7ec081ec0c975647070f7c762013be88d1251..10613caec3ba54b92ab18488f83e6987d5557697 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -108,6 +108,7 @@ oem_lock                                  u:object_r:oem_lock_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
 overlay                                   u:object_r:overlay_service:s0
 package                                   u:object_r:package_service:s0
+package_native                            u:object_r:package_native_service:s0
 permission                                u:object_r:permission_service:s0
 persistent_data_block                     u:object_r:persistent_data_block_service:s0
 phone_msim                                u:object_r:radio_service:s0
diff --git a/private/storaged.te b/private/storaged.te
index d5abd7314f55d6218276059865d1b1fb6ebb2985..20377e046d382daac107fa792ba5329231c09d20 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -43,6 +43,9 @@ binder_call(storaged, healthd)
 # Implements a dumpsys interface.
 allow storaged dumpstate:fd use;
 
+# use a subset of the package manager service
+allow storaged package_native_service:service_manager find;
+
 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
 dontaudit storaged self:capability dac_override;
diff --git a/public/service.te b/public/service.te
index 5722e25fbec34c6afa3700d3e6b40b0779284ebf..6955755f8b5e95054add9598876ca6338fd3844b 100644
--- a/public/service.te
+++ b/public/service.te
@@ -101,6 +101,7 @@ type oem_lock_service, system_api_service, system_server_service, service_manage
 type otadexopt_service, system_server_service, service_manager_type;
 type overlay_service, system_api_service, system_server_service, service_manager_type;
 type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type package_native_service, system_server_service, service_manager_type;
 type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
 type pinner_service, system_server_service, service_manager_type;