diff --git a/private/file_contexts b/private/file_contexts
index 2b700e5e6d028eb27bebcaed7583187c804d04d8..0546f84cd20b69ebbe90c06cfe086d4d934b5466 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -285,6 +285,7 @@
 
 # TODO: b/36790901 move this to /vendor/etc
 /(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 0226186101013e45724f42f6c9a326c5c57d2983..c51c04082471b82c0c38c323c89465a7e8175ca3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -86,6 +86,9 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_io
 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
 
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
 # Use generic "sockets" where the address family is not known
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be