diff --git a/app.te b/app.te
index fb768318361ff68cbad73c698b16f3a067c683b7..22168f8918e165678c9ed159c1576eed8698ad4c 100644
--- a/app.te
+++ b/app.te
@@ -24,6 +24,8 @@ platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
 unconfined_domain(media_app)
+relabelto_domain(media_app)
+allow media_app download_file:dir relabelto;
 
 # Apps signed with the shared key.
 type shared_app, domain;
diff --git a/attributes b/attributes
index 7d491e2d4ea7c4faf8ae71bebd0f1fdee292d10b..6123d6c1be12a4984cca8dbe05258aa9d81e6a79 100644
--- a/attributes
+++ b/attributes
@@ -64,3 +64,6 @@ attribute binderservicedomain;
 
 # Allow domains used for platform (signed by build key) apps.
 attribute platformappdomain;
+
+# All domains which are allowed the "relabelto" permission
+attribute relabeltodomain;
diff --git a/domain.te b/domain.te
index a4a06d554d5f4b37adc004440dacf8e221597df6..9ca6dc4e657188026190d779f8b9d6219cd338fe 100644
--- a/domain.te
+++ b/domain.te
@@ -120,3 +120,18 @@ dontaudit domain debugfs:file  rw_file_perms;
 # security files
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;
+
+######## Backwards compatibility - Unlabeled files ############
+
+# Revert to DAC rules when looking at unlabeled files. Over time, the number
+# of unlabeled files should decrease.
+# TODO: delete these rules in the future.
+#
+# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
+# capability, it's essentially useless. This is needed to allow an app with
+# relabelto to relabel unlabeled files.
+#
+allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:dir { create_dir_perms relabelfrom };
+allow domain unlabeled:lnk_file { create_file_perms };
+neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
diff --git a/init.te b/init.te
index 5b7463e93938b613876dd2d33338e1e3f7d2f79c..2cbf14d86a80c5d3fcc516984d8685f726220c59 100644
--- a/init.te
+++ b/init.te
@@ -4,5 +4,8 @@ permissive init;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
+relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;
+
+allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
diff --git a/installd.te b/installd.te
index 2b983db128b71df13c271671d18090987beb86e3..05e4d65cb0f01dfb6b0ed137e3f6771526a0825c 100644
--- a/installd.te
+++ b/installd.te
@@ -4,6 +4,7 @@ permissive installd;
 type installd_exec, exec_type, file_type;
 
 init_daemon_domain(installd)
+relabelto_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
 allow installd system_data_file:file create_file_perms;
diff --git a/kernel.te b/kernel.te
index 5502ed88da4eea4b33402aadad22f5869b79affd..023e45790c12fed62b961620a3f8f63131641e47 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,3 +3,6 @@ type kernel, domain;
 permissive kernel;
 # The kernel is unconfined.
 unconfined_domain(kernel)
+relabelto_domain(kernel)
+
+allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
diff --git a/system.te b/system.te
index e638039a9e11539e3fde6026d6f1313a498da68b..24d4a676b0b6dc16730a2bfd516d2dc915ef3f6f 100644
--- a/system.te
+++ b/system.te
@@ -6,7 +6,13 @@ unconfined_domain(system_app)
 type system, domain;
 permissive system;
 unconfined_domain(system);
+relabelto_domain(system);
 
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };
+
+allow system backup_data_file:dir relabelto;
+allow system cache_backup_file:dir relabelto;
+allow system apk_data_file:file relabelto;
+allow system apk_tmp_file:file relabelto;
diff --git a/te_macros b/te_macros
index 1c78c96d0c911a380c04c546decf0f4d695afa05..310612cd9878bb677b16dc28b4bdba1550b097fa 100644
--- a/te_macros
+++ b/te_macros
@@ -108,6 +108,13 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 ')
 
+#####################################
+# relabelto_domain(domain)
+# Allows this domain to use the relabelto permission
+define(`relabelto_domain', `
+typeattribute $1 relabeltodomain;
+')
+
 #####################################
 # platform_app_domain(domain)
 # Allow permissions specific to platform apps.
diff --git a/unconfined.te b/unconfined.te
index 9f100a3e26597a25ebca6b6782973c79f44fcecf..a3af7d771320f36a1e9fccfeed084ca5fb171e9c 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -11,8 +11,8 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *;
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;