diff --git a/access_vectors b/access_vectors
index e79ad1b80..c280f0840 100644
--- a/access_vectors
+++ b/access_vectors
@@ -890,25 +890,22 @@ class service_manager
 
 class keystore_key
 {
-	test
+	get_state
 	get
 	insert
 	delete
 	exist
-	saw
+	list
 	reset
 	password
 	lock
 	unlock
-	zero
+	is_empty
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
-	reset_uid
-	sync_uid
-	password_uid
 	add_auth
 	user_changed
 }
diff --git a/app.te b/app.te
index af8c5089d..40de074db 100644
--- a/app.te
+++ b/app.te
@@ -185,7 +185,7 @@ control_logd(appdomain)
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
 
 use_keystore({ appdomain -isolated_app })
 
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 82c733d6e..0bfd33ae3 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -13,6 +13,6 @@ allow binderservicedomain console_device:chr_file rw_file_perms;
 allow binderservicedomain appdomain:fd use;
 allow binderservicedomain appdomain:fifo_file write;
 
-allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 
 use_keystore(binderservicedomain)
diff --git a/system_app.te b/system_app.te
index 811f4367b..3720c3d6c 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,17 +57,17 @@ allow system_app app_api_service:service_manager find;
 allow system_app system_api_service:service_manager find;
 
 allow system_app keystore:keystore_key {
-	test
+	get_state
 	get
 	insert
 	delete
 	exist
-	saw
+	list
 	reset
 	password
 	lock
 	unlock
-	zero
+	is_empty
 	sign
 	verify
 	grant
diff --git a/system_server.te b/system_server.te
index 961ad8677..42c3b62fa 100644
--- a/system_server.te
+++ b/system_server.te
@@ -373,25 +373,22 @@ allow system_server system_server_service:service_manager { add find };
 allow system_server surfaceflinger_service:service_manager find;
 
 allow system_server keystore:keystore_key {
-	test
+	get_state
 	get
 	insert
 	delete
 	exist
-	saw
+	list
 	reset
 	password
 	lock
 	unlock
-	zero
+	is_empty
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
-	reset_uid
-	sync_uid
-	password_uid
 	add_auth
 	user_changed
 };