diff --git a/private/apexd.te b/private/apexd.te
index 50a7a721e..feee8ff22 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -186,3 +186,6 @@ allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
 allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
 allow apexd postinstall_apex_mnt_dir:lnk_file create;
 allow apexd proc_filesystems:file r_file_perms;
+
+# Allow calling derive_classpath to gather BCP information for staged sessions
+domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
diff --git a/private/apexd_derive_classpath.te b/private/apexd_derive_classpath.te
new file mode 100644
index 000000000..d4c5496b7
--- /dev/null
+++ b/private/apexd_derive_classpath.te
@@ -0,0 +1,9 @@
+# Exclusive domain for apexd calling into derive_classpath binary
+type apexd_derive_classpath, domain, coredomain;
+
+# Allow the binary to write into output file at location /apex/derive_classpath_temp
+allow apexd_derive_classpath apexd:fd use;
+allow apexd_derive_classpath apex_mnt_dir:file { write open };
+# Allow the binary to log using logwrap
+allow apexd_derive_classpath apexd_devpts:chr_file { read write };
+