diff --git a/private/incidentd.te b/private/incidentd.te
index b88526347577ea7154081c804cec534c8e4ccd22..a887a61775d42745b9d2617ea9e2d00e0d0389c5 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -99,7 +99,14 @@ binder_call(incidentd, incident)
 ###
 
 # only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+neverallow {
+  domain
+  -incident
+  -incidentd
+  -statsd
+  -system_app
+  -system_server
+} incident_service:service_manager find;
 
 # only incidentd and the other root services in limited circumstances
 # can get to the files in /data/misc/incidents
diff --git a/private/statsd.te b/private/statsd.te
index b04a7da38de0882f8208d745b08fe05b8a35fef2..dad3c6cc5af42019d1919f044788cf01f85970ae 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -41,8 +41,9 @@ unix_socket_connect(statsd, traced_consumer, traced)
 
 # Grant statsd with permissions to register the services.
 allow statsd {
-  statscompanion_service
   app_api_service
+  incident_service
+  statscompanion_service
   system_api_service
 }:service_manager find;