diff --git a/sepolicy/su.te b/sepolicy/su.te
index 9b7d098..9cd6345 100644
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@@ -1,10 +1,12 @@
-type superuser_device, file_type;
+type superuser_device, file_type, mlstrustedobject;
 
 ## Perms for the daemon
 
 userdebug_or_eng(`
   domain_trans(init, su_exec, sudaemon)
 
+  typeattribute sudaemon domain, mlstrustedsubject;
+
   type_transition sudaemon socket_device:sock_file superuser_device;
   # The userspace app uses /dev sockets to control per-app access
   allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
@@ -39,6 +41,7 @@ userdebug_or_eng(`
   dontaudit sudaemon domain:peer *;
   dontaudit sudaemon domain:binder *;
   dontaudit sudaemon property_type:property_service *;
+  dontaudit sudaemon appops_service:service_manager *;
 ')
 
 ## Perms for the app