diff --git a/private/system_server.te b/private/system_server.te
index 3c3f82d9707b8cb1e06229982b6c34b15b342186..f06592a6231aa582cf7ce8f29b99af506d2ca5bf 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -79,6 +79,9 @@ allow system_server kernel:system module_request;
 # Allow alarmtimers to be set
 allow system_server self:capability2 wake_alarm;
 
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index a4c21fcdf507997a0621008de364f16a7ecc5381..48d67a29b5c466597b54b63cb8842916d9ff6a1a 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -1,3 +1,8 @@
 ## HwBinder IPC from client to server, and callbacks
 binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
 binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hwservice.te b/public/hwservice.te
index c3f30771b2086f7acc731dad688b3880fc18640d..bb2c668d7d699ab34f3e1d58164a3fe76573217d 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -28,6 +28,7 @@ type hal_power_hwservice, hwservice_manager_type;
 type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_sensors_hwservice, hwservice_manager_type;
 type hal_telephony_hwservice, hwservice_manager_type;
+type hal_tetheroffload_hwservice, hwservice_manager_type;
 type hal_thermal_hwservice, hwservice_manager_type;
 type hal_tv_cec_hwservice, hwservice_manager_type;
 type hal_tv_input_hwservice, hwservice_manager_type;
diff --git a/vendor/hal_tetheroffload_default.te b/vendor/hal_tetheroffload_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..03c542b28d062751d8fa63e5ec34309994399aa8
--- /dev/null
+++ b/vendor/hal_tetheroffload_default.te
@@ -0,0 +1,5 @@
+type hal_tetheroffload_default, domain;
+hal_server_domain(hal_tetheroffload_default, hal_tetheroffload)
+
+type hal_tetheroffload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tetheroffload_default)