diff --git a/bluetooth.te b/bluetooth.te
index 35a4774cb..4d9b4abf6 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -50,7 +50,6 @@ allow bluetooth pan_result_prop:property_service set;
 allow bluetooth ctl_dhcp_pan_prop:property_service set;
 
 allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth keystore_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth surfaceflinger_service:service_manager find;
diff --git a/system_app.te b/system_app.te
index 2ea621c48..ea936aa1d 100644
--- a/system_app.te
+++ b/system_app.te
@@ -48,7 +48,6 @@ allow system_app anr_data_file:file create_file_perms;
 # Settings need to access app name and icon from asec
 allow system_app asec_apk_file:file r_file_perms;
 
-allow system_app keystore_service:service_manager find;
 allow system_app mediaserver_service:service_manager find;
 allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
diff --git a/te_macros b/te_macros
index de3f9f5aa..35dfb4d01 100644
--- a/te_macros
+++ b/te_macros
@@ -336,6 +336,7 @@ define(`use_keystore', `
   allow keystore $1:dir search;
   allow keystore $1:file { read open };
   allow keystore $1:process getattr;
+  allow $1 keystore_service:service_manager find;
   binder_call($1, keystore)
 ')
 
diff --git a/untrusted_app.te b/untrusted_app.te
index ae6571994..bb93526a5 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,7 +64,6 @@ allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;
 
 allow untrusted_app drmserver_service:service_manager find;
-allow untrusted_app keystore_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;