diff --git a/keystore.te b/keystore.te
index a7f4b4d6462dbdd303a22dc5dcb7f5b2d9cac6c9..a3aa4c8adda181f1b12ea9576fe9283de8b138ce 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,6 +1,13 @@
 type keystore, domain;
+permissive keystore;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
 init_daemon_domain(keystore)
-unconfined_domain(keystore)
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+allow keystore tee_device:chr_file rw_file_perms;