diff --git a/gatekeeperd.te b/gatekeeperd.te
index 4a50e2cd8957f3621f4b419f6c163121b6092b4b..5f27aa92ac96e416f5ca04215bf9b312b05b536d 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -17,6 +17,12 @@ allow gatekeeperd keystore:keystore_key { add_auth };
 allow gatekeeperd system_server:binder call;
 allow gatekeeperd permission_service:service_manager find;
 
-neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
+# for SID file access
+allow gatekeeperd system_data_file:dir { add_name write};
+allow gatekeeperd system_data_file:file { write create open };
+
+# Apps using KeyStore API will request the SID from GateKeeper
+allow untrusted_app gatekeeper_service:service_manager find;
+binder_call(untrusted_app, gatekeeperd)
+
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
-neverallow { domain -system_server } gatekeeperd:binder call;