diff --git a/device.te b/device.te
index d55258ad8956e99e386f4e694f45530df69109d3..8882d9935257180909a8e63190d5106555cee9cf 100644
--- a/device.te
+++ b/device.te
@@ -49,6 +49,7 @@ type uhid_device, dev_type;
 type tun_device, dev_type, mlstrustedobject;
 type usbaccessory_device, dev_type;
 type usb_device, dev_type;
+type klog_device, dev_type;
 type properties_device, dev_type;
 
 # All devices have a uart for the hci
diff --git a/file_contexts b/file_contexts
index 15f9f5998dfe3d46db23e2f533ac74cfdbe865fa..19491f96187bfa72cc7a692fbfc49fd21cfe19c5 100644
--- a/file_contexts
+++ b/file_contexts
@@ -114,6 +114,7 @@
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
+/dev/__kmsg__		u:object_r:klog_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
 #############################
 # System files
diff --git a/te_macros b/te_macros
index cc0dc7660228841b4f64bf9565877feb7149031a..1245c8a565510c355c454e42d68a6a79626ce721 100644
--- a/te_macros
+++ b/te_macros
@@ -285,6 +285,17 @@ define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
 ')
 
+#####################################
+# write_klog(domain)
+# Ability to write to kernel log via
+# klog_write()
+# See system/core/libcutil/klog.c
+define(`write_klog', `
+type_transition $1 device:chr_file klog_device "__kmsg__";
+allow $1 klog_device:chr_file { create open write unlink };
+allow $1 device:dir { add_name remove_name };
+')
+
 #####################################
 # Non system_app application set
 #
diff --git a/ueventd.te b/ueventd.te
index 9023173d8d34b23db52e4cf6ae7e238547ba6c76..fa03acf70256d8cddaca1c27037a188a157453d6 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,6 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
+write_klog(ueventd)
 security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
diff --git a/vold.te b/vold.te
index 95865fb3ad1ad26c85b9ef735ff450560f4dfb58..26532c1a06d9a2659c39b9d2fea8678e4236f559 100644
--- a/vold.te
+++ b/vold.te
@@ -32,6 +32,8 @@ allow vold self:capability { sys_boot };
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
+write_klog(vold)
+
 #
 # Rules to support encrypted fs support.
 #