diff --git a/private/domain.te b/private/domain.te
index 6ca859a97bcce8c26849b1cdcf9d2fcedcbd80b9..614e4c71f26b50ca7270b0119ca945039da7cd0b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -105,7 +105,8 @@ full_treble_only(`
     -adbd
     -init
     -mediaprovider
-  }functionfs:file no_rw_file_perms;
+    -system_server
+  } functionfs:file no_rw_file_perms;
 
   # usbfs and binfmt_miscfs
   neverallow {
diff --git a/private/system_server.te b/private/system_server.te
index 75f4d345547a8f211befc5c761685e7ced6f0d0a..1905382206c3f7e813b1aec8f7136778fdb6f156 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -764,6 +764,10 @@ userdebug_or_eng(`
   allow system_server mediaextractor_update_service:service_manager find;
 ')
 
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
 ###
 ### Neverallow rules
 ###