diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
index e89ea63a09fb0f5c0b493032a583104fa6daa9ee..6b37df7fac5eaba70935832eb4e1f44178fe3d17 100644
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ b/prebuilts/api/26.0/26.0.ignore.cil
@@ -23,3 +23,11 @@
     thermalserviced_tmpfs
     timezone_service
     tombstoned_java_trace_socket))
+
+;; private_objects - a collection of types that were labeled differently in
+;;     older policy, but that should not remain accessible to vendor policy.
+;;     Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects
+     ( screencap
+       screencap_exec ))
diff --git a/private/adbd.te b/private/adbd.te
index 52597ebbf4335a9495ea208d9c20e1c1e42f05e0..2008364288ded5ade37e9b7e3f38157d7b154fa9 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,14 +63,9 @@ get_prop(adbd, serialno_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
+# Use screencap
+domain_auto_trans(adbd, screencap_exec, screencap)
+allow adbd screencap:process signal;
 
 # Needed for various screenshots
 hal_client_domain(adbd, hal_graphics_allocator)
@@ -137,5 +132,5 @@ allow adbd rootfs:dir r_dir_perms;
 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
 # transitions to the shell domain (except when it crashes). In particular, we
 # never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain -crash_dump -shell -screencap }:process transition;
 neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/private/app.te b/private/app.te
index 9251ed9cbeeabfc407c393192717fe63df971978..068f09539d42c59c01c373d480b4de27c1679b50 100644
--- a/private/app.te
+++ b/private/app.te
@@ -409,7 +409,9 @@ neverallow appdomain { domain -appdomain }:file write;
 # sigchld allowed for parent death notification.
 # signull allowed for kill(pid, 0) existence test.
 # All others prohibited.
-neverallow appdomain { domain -appdomain }:process
+neverallow { appdomain -shell } { domain -appdomain }:process
+    { sigkill sigstop signal };
+neverallow shell { domain -appdomain -screencap }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0fe2adfc68137d9099233ce0924f2471b7082460..a2f4e258ade5a552595dceed57e0783218839971 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -24,3 +24,7 @@ binder_call(dumpstate, storaged)
 
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
+
+# Use screencap
+domain_auto_trans(dumpstate, screencap_exec, screencap)
+allow dumpstate screencap:process signal;
diff --git a/private/file_contexts b/private/file_contexts
index 7f9f5129ee3a552c5914593ffa3c713fe69a9a7f..2599e39128ad7c5cc3f914c2b0ea8472de6eafcb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -212,6 +212,7 @@
 /system/bin/mediametrics	u:object_r:mediametrics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
+/system/bin/screencap	u:object_r:screencap_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/screencap.te b/private/screencap.te
new file mode 100644
index 0000000000000000000000000000000000000000..579373aa6a3b41a20edfa24d477c3723bbcf9c9d
--- /dev/null
+++ b/private/screencap.te
@@ -0,0 +1,26 @@
+type screencap, domain;
+type screencap_exec, exec_type, file_type;
+
+typeattribute screencap coredomain;
+
+allow screencap gpu_device:chr_file rw_file_perms;
+allow screencap ion_device:chr_file rw_file_perms;
+
+allow screencap adbd:fifo_file write;
+allow screencap adbd:fd use;
+allow screencap adbd:unix_stream_socket { read write };
+
+allow screencap shell_data_file:file write;
+allow screencap shell:fd use;
+allow screencap shell:unix_stream_socket { read write };
+
+allow screencap dumpstate:fd use;
+allow screencap dumpstate:unix_stream_socket { read write };
+
+binder_use(screencap)
+binder_call(screencap, surfaceflinger)
+allow screencap surfaceflinger_service:service_manager find;
+allow screencap surfaceflinger:fd use;
+
+hwbinder_use(screencap)
+hal_client_domain(screencap, hal_graphics_allocator)
diff --git a/private/shell.te b/private/shell.te
index 5299532ac64e15c88232b8a37da11609c585d578..095dc43910c91bf5553f5a311c435a18b20ec76c 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -26,3 +26,7 @@ binder_call(shell, storaged)
 # Perform SELinux access checks, needed for CTS
 selinux_check_access(shell)
 selinux_check_context(shell)
+
+# Use screencap
+domain_auto_trans(shell, screencap_exec, screencap)
+allow shell screencap:process signal;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index b33035e8ea9d51ec1422b6105c9acba6e1330e7c..7184fbcc729a00002f5113a3f7cc85cdf60c951d 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -21,6 +21,7 @@ binder_use(surfaceflinger)
 binder_call(surfaceflinger, binderservicedomain)
 binder_call(surfaceflinger, appdomain)
 binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, screencap)
 binder_service(surfaceflinger)
 
 # Binder IPC to bu, presently runs in adbd domain.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f6d6a0a69d9da541b94af9a0f8d745f0e76a800e..3e977311fb56aff85894ba7bd6b434c30407153c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -142,9 +142,6 @@ allow dumpstate bluetooth_data_file:dir search;
 allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
 allow dumpstate bluetooth_logs_data_file:file r_file_perms;
 
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
 # logd access
 read_logd(dumpstate)
 control_logd(dumpstate)