diff --git a/private/file_contexts b/private/file_contexts
index b13807f796e5e41c600c7b402981300e1e22fd08..7384ce8a6b4c285d15e17f0f8267a4dc79dc923a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -282,6 +282,7 @@
 
 # TODO: b/36790901 move this to /vendor/etc
 /(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
 /(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 925c82d8d39a02e2f57cfb837aa63e3cfa8d8e6f..0e4ecdadea8f60ea40ca479ad7310eb71b39e73c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -86,6 +86,9 @@ allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_io
 allow system_server self:netlink_socket create_socket_perms_no_ioctl;
 allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
 
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
 # Use generic "sockets" where the address family is not known
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be