diff --git a/private/file_contexts b/private/file_contexts
index 4c047b02a92a054b2a9fbc7ec162e7c9057e232f..f0c394c711e093a23927b583a9ed793510b341a8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -283,6 +283,7 @@
 
 # TODO: b/36790901 move this to /vendor/etc
 /(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index cf9370235fc78bf4e7f5930fa9ce2293b2de3da8..05e47734b75ceed759fb80756917cc40412ca602 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -86,6 +86,9 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_io
 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
 
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
 # Use generic "sockets" where the address family is not known
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be