diff --git a/app.te b/app.te
index 6116757825b449394d94dd728a4fbb959cf9d34c..0049fe47d3545723af0b84ba6a39c5c699722c2c 100644
--- a/app.te
+++ b/app.te
@@ -268,9 +268,6 @@ neverallow { appdomain -unconfineddomain -system_app }
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to various other parts of /data.
-neverallow { appdomain -system_app -unconfineddomain }
-    security_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set
diff --git a/domain.te b/domain.te
index 5464d86f0669b89ac207251553615ba20626ec23..a53a328928f6252ecb9e5a6f1a819c17e8c286fb 100644
--- a/domain.te
+++ b/domain.te
@@ -189,6 +189,23 @@ neverallow { domain -recovery } self:capability2 mac_admin;
 # Policy reload requires allowing this to the init domain.
 neverallow { domain -init } kernel:security load_policy;
 
+# Only init and the system_server can set selinux.reload_policy 1
+# to trigger a policy reload.
+neverallow { domain -init -system_server } security_prop:property_service set;
+
+# Only init and system_server can write to /data/security, where runtime
+# policy updates live.
+# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
+neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
+# Only init and system_server can create/setattr directories with this type.
+# init is for init.rc mkdir /data/security.
+# system_server is for creating subdirectories under /data/security.
+neverallow { domain -init -system_server } security_file:dir { create setattr };
+# Only system_server can create subdirectories and files under /data/security.
+neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
+neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
+neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
+
 # Only init prior to switching context should be able to set enforcing mode.
 # init starts in kernel domain and switches to init domain via setcon in
 # the init.rc, so the setenforce occurs while still in kernel. After
diff --git a/init.te b/init.te
index 5397a82173c8a494d327786c68479ccb7aa18671..8cdc3bcb59788d2d8d92cb811b4b917b5c0fd9b8 100644
--- a/init.te
+++ b/init.te
@@ -23,7 +23,14 @@ allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init unlabeled:dir { create_dir_perms relabelfrom };
 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 
+# Create /data/security from init.rc post-fs-data.
+allow init security_file:dir { create setattr };
+
+# setprop selinux.reload_policy 1 from init.rc post-fs-data.
+allow init security_prop:property_service set;
+
 # Reload policy upon setprop selinux.reload_policy 1.
+r_dir_file(init, security_file)
 allow init kernel:security load_policy;
 
 # Any operation that can modify the kernel ring buffer, e.g. clear
diff --git a/property_contexts b/property_contexts
index c525c3bca4cf9a419bdf0bdc4ebc75198c24b1ab..cd8be69a354d5902b7bc812dbd1565432364994e 100644
--- a/property_contexts
+++ b/property_contexts
@@ -39,9 +39,6 @@ persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 
-# mmac persistent properties
-persist.mmac.			u:object_r:security_prop:s0
-
 # selinux non-persistent properties
 selinux.                u:object_r:security_prop:s0
 
diff --git a/unconfined.te b/unconfined.te
index ecfe61574ae9450d4f1923c9faceb5ed36888eb3..7c7fa4d9969e33869d05c7867e807f111e978fa3 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -29,13 +29,13 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
@@ -44,4 +44,4 @@ allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain property_type:property_service set;
+allow unconfineddomain { property_type -security_prop }:property_service set;