diff --git a/gatekeeperd.te b/gatekeeperd.te
index 39d9d210c..4d62ce4f7 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -3,6 +3,7 @@ type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
 init_daemon_domain(gatekeeperd)
+binder_service(gatekeeperd)
 binder_use(gatekeeperd)
 allow gatekeeperd tee_device:chr_file rw_file_perms;
 
diff --git a/service.te b/service.te
index da01071b5..3dfa296cf 100644
--- a/service.te
+++ b/service.te
@@ -1,10 +1,10 @@
 type bluetooth_service,         service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
+type gatekeeper_service,        app_api_service, service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
-type gatekeeper_service,        service_manager_type;
 type mediaserver_service,       service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
diff --git a/untrusted_app.te b/untrusted_app.te
index 1b7aaeefd..5ad8c79bd 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -93,10 +93,6 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
-# Apps using KeyStore API will request the SID from GateKeeper
-allow untrusted_app gatekeeper_service:service_manager find;
-binder_call(untrusted_app, gatekeeperd)
-
 ###
 ### neverallow rules
 ###