diff --git a/app.te b/app.te
index 34f99e63f358933b2ff8127d415323fc867d4c43..f3a083ce0528e67bfa807f123702fbf440ede570 100644
--- a/app.te
+++ b/app.te
@@ -68,6 +68,10 @@ allow appdomain wallpaper_file:file { read write };
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
 
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # Everybody can read the xt_qtaguid resource tracking misc dev.
diff --git a/binderservicedomain.te b/binderservicedomain.te
new file mode 100644
index 0000000000000000000000000000000000000000..a67d5856e9adcf09efc18c3eee4cb81f1065a945
--- /dev/null
+++ b/binderservicedomain.te
@@ -0,0 +1,5 @@
+# Rules common to all binder service domains
+
+# Alow dumpstate to collect information from binder services
+allow binderservicedomain dumpstate:fd use;
+allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
diff --git a/dumpstate.te b/dumpstate.te
new file mode 100644
index 0000000000000000000000000000000000000000..8c27273540a4869a064dc9d94a55d8aed3c72664
--- /dev/null
+++ b/dumpstate.te
@@ -0,0 +1,70 @@
+# dumpstate
+type dumpstate, domain;
+permissive dumpstate;
+type dumpstate_exec, exec_type, file_type;
+
+init_daemon_domain(dumpstate)
+net_domain(dumpstate)
+relabelto_domain(dumpstate)
+binder_use(dumpstate)
+
+# Drop privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+# Send signals to processes
+allow dumpstate self:capability kill;
+
+# Allow executing files on system, such as:
+#   /system/bin/toolbox
+#   /system/bin/logcat
+#   /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+
+# Create and write into /data/anr/
+allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate anr_data_file:dir { rw_dir_perms relabelto };
+allow dumpstate anr_data_file:file create_file_perms;
+allow dumpstate system_data_file:dir { create_dir_perms relabelfrom };
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Read dmesg
+allow dumpstate self:capability2 syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server }:process signal;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in dumpstate/utils.c
+allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+
+# The /system/bin/ip command needs this for routing table information.
+allow dumpstate self:netlink_route_socket { write getattr setopt };
+
+# The vdc command needs to talk to the vold socket.
+unix_socket_connect(dumpstate, vold, vold)
+
+# Vibrate the device after we're done collecting the bugreport
+# /sys/class/timed_output/vibrator/enable
+# TODO: create a new file class, instead of allowing write access to all of /sys
+allow dumpstate sysfs:file w_file_perms;
+
+# Other random bits of data we want to collect
+allow dumpstate qtaguid_proc:file r_file_perms;
+allow dumpstate debugfs:file r_file_perms;
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, appdomain)
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:capability sys_ptrace;
diff --git a/file.te b/file.te
index d0f79ac7a957e4a856e61628fdb63d90bcf4b00a..cb184e31d31b6980f4c9ede266f91e479c182ae3 100644
--- a/file.te
+++ b/file.te
@@ -101,6 +101,7 @@ type download_file, file_type;
 type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
+type dumpstate_socket, file_type;
 type gps_socket, file_type;
 type installd_socket, file_type;
 type keystore_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 25873049b0b1299f2d1c634f0d9596881333e2f1..9df91cd10421a7b0b4336c0040b7cf9b160da130 100644
--- a/file_contexts
+++ b/file_contexts
@@ -77,6 +77,7 @@
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/bluetooth	u:object_r:bluetooth_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
 /dev/socket/gps		u:object_r:gps_socket:s0
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/keystore	u:object_r:keystore_socket:s0
@@ -121,6 +122,7 @@
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
 /system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
 /system/bin/drmserver	u:object_r:drmserver_exec:s0
+/system/bin/dumpstate   u:object_r:dumpstate_exec:s0
 /system/bin/vold	u:object_r:vold_exec:s0
 /system/bin/netd	u:object_r:netd_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
diff --git a/healthd.te b/healthd.te
index 53e6e8ef908d50aeed193b0b9ef37831e44b1a27..9d23571323369bf3affd332fb4e5525c4111e2c2 100644
--- a/healthd.te
+++ b/healthd.te
@@ -11,6 +11,7 @@ allow healthd self:capability { net_admin mknod };
 allow healthd self:capability2 block_suspend;
 allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
 binder_use(healthd)
+binder_service(healthd)
 binder_call(healthd, system_server)
 
 # Workaround for 0x10 / block_suspend capability2 denials.
diff --git a/su.te b/su.te
index dda77080bf360c577cbf00a52cf25593e52e85bd..2a3d0075d6e372ca9ea4d3a1083fc65649db1977 100644
--- a/su.te
+++ b/su.te
@@ -2,6 +2,10 @@ type su, domain;
 type su_exec, exec_type, file_type;
 domain_auto_trans(shell, su_exec, su)
 
+# Allow dumpstate to call su on userdebug / eng builds to collect
+# additional information.
+domain_auto_trans(dumpstate, su_exec, su)
+
 # su is unconfined.
 unconfined_domain(su)