diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e5236603d..08fa1ac00 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -9,6 +9,7 @@
     apex_info_file
     cgroup_v2
     debugfs_kprobes
+    dmabuf_system_heap_device
     gki_apex_prepostinstall
     gki_apex_prepostinstall_exec
     hal_fingerprint_service
diff --git a/private/file_contexts b/private/file_contexts
index 27bbb3d73..efb2c14b0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -92,6 +92,7 @@
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
 /dev/console		u:object_r:console_device:s0
 /dev/cpu_variant:.*     u:object_r:dev_cpu_variant:s0
+/dev/dma_heap/system    u:object_r:dmabuf_system_heap_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6042fffbb..f344bbbfb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -933,6 +933,9 @@ allow system_server ion_device:chr_file r_file_perms;
 allow system_server cgroup_v2:dir rw_dir_perms;
 allow system_server cgroup_v2:file rw_file_perms;
 
+# Access to /dev/dma_heap/system
+allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
+
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)
 r_dir_file(system_server, proc_qtaguid_stat)
diff --git a/public/app.te b/public/app.te
index 8263c09e3..ad1696fdd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -308,6 +308,7 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
 
 # Allow AAudio apps to use shared memory file descriptors from the HAL
 allow { appdomain -isolated_app } hal_audio:fd use;
diff --git a/public/device.te b/public/device.te
index 43d63225e..4282a2535 100644
--- a/public/device.te
+++ b/public/device.te
@@ -44,6 +44,7 @@ type zero_device, dev_type, mlstrustedobject;
 type fuse_device, dev_type, mlstrustedobject;
 type iio_device, dev_type;
 type ion_device, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject;
 type qtaguid_device, dev_type;
 type watchdog_device, dev_type;
 type uhid_device, dev_type;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 992baabae..8e35225c9 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -23,3 +23,4 @@ neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
 
+allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;