diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts
index df0a63e..0cada88 100644
--- a/edgetpu/sepolicy/file_contexts
+++ b/edgetpu/sepolicy/file_contexts
@@ -15,7 +15,7 @@
 /vendor/lib64/libmetrics_logger\.so                                        u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so                                          u:object_r:same_process_hal_file:s0
 # EdgeTPU runtime libraries
-/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so              u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-3]-ndk\.so              u:object_r:same_process_hal_file:s0
 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so           u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files
diff --git a/gxp/sepolicy/appdomain.te b/gxp/sepolicy/appdomain.te
new file mode 100644
index 0000000..ada9421
--- /dev/null
+++ b/gxp/sepolicy/appdomain.te
@@ -0,0 +1,2 @@
+# Allow apps to read gxp properties
+get_prop(appdomain, vendor_gxp_prop)
diff --git a/gxp/sepolicy/edgetpu_app_service.te b/gxp/sepolicy/edgetpu_app_service.te
new file mode 100644
index 0000000..780823f
--- /dev/null
+++ b/gxp/sepolicy/edgetpu_app_service.te
@@ -0,0 +1,6 @@
+# Allow Edgetpu App Service to access the GXP device and read GXP properties.
+allow edgetpu_app_server gxp_device:chr_file rw_file_perms;
+get_prop(edgetpu_app_server, vendor_gxp_prop)
+
+# Allows Edgetpu App Service to search for GXP firmware file.
+allow edgetpu_app_server vendor_fw_file:dir search;
diff --git a/gxp/sepolicy/priv_app.te b/gxp/sepolicy/priv_app.te
new file mode 100644
index 0000000..8afc24d
--- /dev/null
+++ b/gxp/sepolicy/priv_app.te
@@ -0,0 +1,3 @@
+# Allows privileged applications to access the GXP device, except open,
+# which is guarded by the EdgeTPU service.
+allow priv_app gxp_device:chr_file { getattr read write ioctl map };
diff --git a/gxp/sepolicy/untrusted_app_all.te b/gxp/sepolicy/untrusted_app_all.te
new file mode 100644
index 0000000..456dfee
--- /dev/null
+++ b/gxp/sepolicy/untrusted_app_all.te
@@ -0,0 +1,3 @@
+# Allows applications to access the GXP device, except open,
+# which is guarded by the EdgeTPU service.
+allow untrusted_app_all gxp_device:chr_file { getattr read write ioctl map };