diff --git a/domain.te b/domain.te
index b0d7c95d66e69dfa5716932062271476366c0dce..eebe1a5c71ec69482fa5933e1f1c73053b00cf3c 100644
--- a/domain.te
+++ b/domain.te
@@ -246,3 +246,7 @@ neverallow {
     -system_server
     -zygote
 } { file_type -system_file -exec_type }:file execute;
+
+# Only the init property service should write to /data/property.
+neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
+neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
diff --git a/file.te b/file.te
index 874f45f562403f73871eb5aaf792971c67e1d7f8..21bba2e248b5dca709e1d5d3e25c204fe26b0080 100644
--- a/file.te
+++ b/file.te
@@ -64,6 +64,8 @@ type dalvikcache_profiles_data_file, file_type, data_file_type;
 type shell_data_file, file_type, data_file_type;
 # /data/gps
 type gps_data_file, file_type, data_file_type;
+# /data/property
+type property_data_file, file_type, data_file_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index c871d95c36849f7d2a911cd7644c47b1d7a21a30..fe493d3db0f944c8093b72a629cab60c72eedeaf 100644
--- a/file_contexts
+++ b/file_contexts
@@ -184,6 +184,7 @@
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
+/data/property(/.*)?	u:object_r:property_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
diff --git a/init.te b/init.te
index 028c46109d12338282f2fa7e0fc4b08a013c47bc..f0c6ac6d9646c28c2c4fd6d31c705f24df54b371 100644
--- a/init.te
+++ b/init.te
@@ -34,3 +34,7 @@ allow init keystore_data_file:file { getattr };
 # setfscreate is for labeling directories and socket files.
 # setsockcreate is for labeling local/unix domain sockets.
 allow init self:process { setexec setfscreate setsockcreate };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
diff --git a/unconfined.te b/unconfined.te
index d4009f0acc5b521bc06b240f8f65b519b8badd39..2302279b9b35b13ed3145c9a19e7e318d4fcbdb3 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -28,10 +28,10 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type file_type -keystore_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type -keystore_data_file -property_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file -property_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;