diff --git a/healthd.te b/healthd.te
index 2241f23cb97eb6e3f951bbb199a8667473edc25e..53e6e8ef908d50aeed193b0b9ef37831e44b1a27 100644
--- a/healthd.te
+++ b/healthd.te
@@ -4,8 +4,15 @@ type healthd, domain;
 type healthd_exec, exec_type, file_type;
 
 init_daemon_domain(healthd)
-unconfined_domain(healthd)
-allow healthd rootfs:file entrypoint;
+allow healthd rootfs:file { read entrypoint };
 write_klog(healthd)
 
+allow healthd self:capability { net_admin mknod };
+allow healthd self:capability2 block_suspend;
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
+binder_use(healthd)
+binder_call(healthd, system_server)
 
+# Workaround for 0x10 / block_suspend capability2 denials.
+# Requires a kernel patch to fix properly.
+permissive healthd;
diff --git a/system_server.te b/system_server.te
index 53b98ee3495293c900a0732e9004e1df3ce25810..1ffa34d2b36620f96f17acba8cee86c7c538369c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -89,6 +89,7 @@ tmpfs_domain(system_server)
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
+binder_call(system_server, healthd)
 binder_service(system_server)
 
 # Read /proc/pid files for Binder clients.