diff --git a/private/update_engine.te b/private/update_engine.te
index 8e09154ce..d828e1fe1 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -24,3 +24,8 @@ binder_call(update_engine, gki_apex_prepostinstall)
 # Allow to communicate with the snapuserd service, for dm-user snapshots.
 allow update_engine snapuserd:unix_stream_socket connectto;
 allow update_engine snapuserd_socket:sock_file write;
+
+# Allow to communicate with apexd for calculating and reserving space for
+# capex decompression
+allow update_engine apex_service:service_manager find;
+binder_call(update_engine, apexd)
diff --git a/public/apexd.te b/public/apexd.te
index 429791f57..53bc5692b 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -5,7 +5,7 @@ type apexd_exec, exec_type, file_type, system_file_type;
 binder_use(apexd)
 add_service(apexd, apex_service)
 
-neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
+neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
 
 neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;