diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 26c781bd9..91e9aba05 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -49,6 +49,9 @@ allow surfaceflinger graphics_device:chr_file rw_file_perms;
 allow surfaceflinger video_device:dir r_dir_perms;
 allow surfaceflinger video_device:chr_file rw_file_perms;
 
+# Access the secure heap.
+allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 7ef27113a..35a19debe 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -11,6 +11,9 @@ allow hal_graphics_allocator gpu_device:dir r_dir_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
 allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
 
+# Access the secure heap
+allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
 # allow to run with real-time scheduling policy
 allow hal_graphics_allocator self:global_capability_class_set sys_nice;