diff --git a/adbd.te b/adbd.te
index 44607c712e260e334c7e060879aa61d799973d56..4b6764759a93fb7813f2ba8f779c876eb74ddac6 100644
--- a/adbd.te
+++ b/adbd.te
@@ -3,6 +3,7 @@
 type adbd, domain;
 
 userdebug_or_eng(`
+  allow adbd self:process setcurrent;
   allow adbd su:process dyntransition;
 ')
 
diff --git a/domain.te b/domain.te
index 5fef04b291c0c1c5d9eee4b494ebe857ee4b510d..f7e86923fa5bbbf1aac3cda4f8d9497f18448c3c 100644
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr };
 allow domain tmpfs:dir r_dir_perms;
 
 # Intra-domain accesses.
-allow domain self:process ~{ execmem execstack execheap ptrace };
+allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
diff --git a/init.te b/init.te
index 3441dd0c31966d28287b475297920ff9f1118f71..e94ca47842233da54cae91aa7deb461fd3c7803b 100644
--- a/init.te
+++ b/init.te
@@ -27,3 +27,9 @@ allow init watchdogd:process transition;
 # the directory as part of a recursive restorecon.
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
diff --git a/kernel.te b/kernel.te
index 0048a626e3aba4b6a6d9be14d792cb395178ac27..f2405e4fdfd969a28a5f0c2c40ffd4f2eb547aba 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,6 +1,8 @@
 # Life begins with the kernel.
 type kernel, domain;
 
+# setcon to init domain.
+allow kernel self:process setcurrent;
 allow kernel init:process dyntransition;
 
 # The kernel is unconfined.
diff --git a/recovery.te b/recovery.te
index cfec16104c00123ba6854f4f41038feef1e6b555..c1329833af386530d9184861ef16df998124571c 100644
--- a/recovery.te
+++ b/recovery.te
@@ -15,3 +15,6 @@ allow recovery dev_type:blk_file rw_file_perms;
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
 allow recovery tmpfs:file rx_file_perms;
+
+# Use setfscreatecon() to label files for OTA updates.
+allow recovery self:process setfscreate;
diff --git a/runas.te b/runas.te
index 8648ee7116b8725b2d50e34ae1f6765070390e38..8cc0eeac90f2089997c10524def7bf1a8cd6411a 100644
--- a/runas.te
+++ b/runas.te
@@ -21,4 +21,5 @@ allow runas self:capability { setuid setgid };
 # read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(runas)
 selinux_check_context(runas) # validate context
+allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/ueventd.te b/ueventd.te
index babebe04db1d25cf5012a65ced087c14e15081a6..25460de2b229ba97f979fd603be92c01d06529f8 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -20,3 +20,6 @@ allow ueventd dev_type:blk_file { create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
diff --git a/zygote.te b/zygote.te
index 4d169f3587ccb85fe57a2b03c3f5d63dc63a09b7..da3a03723d9ac05a49a6d0c0448ae26042f5cee5 100644
--- a/zygote.te
+++ b/zygote.te
@@ -9,6 +9,7 @@ allow zygote self:capability { dac_override setgid setuid fowner chown };
 # Drop capabilities from bounding set.
 allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
+allow zygote self:process setcurrent;
 allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
 # Allow zygote to read app /proc/pid dirs (b/10455872)