diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index f998e550448194d8f964dcdfdcca1f0f10ce084c..4b79060e3031783013569169b10c3a20ca7b5b16 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -8,6 +8,7 @@ define(`all_untrusted_apps',`{
   mediaprovider
   untrusted_app
   untrusted_app_25
+  untrusted_app_27
   untrusted_app_all
   untrusted_v2_app
 }')
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 74fef1a9af0cab2df968dfcbe80fdbed81d6ead3..cf7bed71083b15a4b21b621d323e86f37ca96ff2 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -681,7 +681,9 @@
 (typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
 (typeattributeset unlabeled_26_0 (unlabeled))
 (typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0 (untrusted_app))
+(typeattributeset untrusted_app_26_0
+  ( untrusted_app
+    untrusted_app_27))
 (typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
 (typeattributeset update_engine_26_0 (update_engine))
 (typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 403fde752967bc395664f138d20746600e07b308..cfda7483f0c7361bca2e0bd91c391dae8e1334a6 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -109,6 +109,7 @@
     traced_probes_tmpfs
     traced_producer_socket
     traced_tmpfs
+    untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop
     usbd
@@ -131,4 +132,6 @@
 ;;     Thus, these types are also not mapped, but recorded for checkapi tests
 (typeattribute priv_objects)
 (typeattributeset priv_objects
-     ( adbd_tmpfs ))
+     ( adbd_tmpfs
+       untrusted_app_27_tmpfs
+     ))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 791a6f19becc7130aec3e8697051d5f6f63a860b..016365881b7c1c7dfb78c74294304017af1006ec 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1403,7 +1403,9 @@
 (typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
 (typeattributeset unlabeled_27_0 (unlabeled))
 (typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0 (untrusted_app))
+(typeattributeset untrusted_app_27_0
+  ( untrusted_app
+    untrusted_app_27))
 (typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
 (typeattributeset update_engine_27_0 (update_engine))
 (typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 09ffe56aeae4c329d6fc9d3f0a7c76565b904f9e..a3f7bb5ad58dc53efdc90dc245530179fa406831 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -84,6 +84,7 @@
     traced_tmpfs
     traceur_app
     traceur_app_tmpfs
+    untrusted_app_all_devpts
     update_engine_log_data_file
     usbd
     usbd_exec
@@ -101,3 +102,8 @@
     wpantund_service
     wpantund_tmpfs))
 
+;; private_objects - a collection of types that were labeled differently in
+;;     older policy, but that should not remain accessible to vendor policy.
+;;     Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects (untrusted_app_27_tmpfs))
diff --git a/private/mls b/private/mls
index a561de1f01e96d5d4e4e5d6f3f104f25640fa148..3b8ee3f47f090ff8aa2ef69ffb88c054ca064b59 100644
--- a/private/mls
+++ b/private/mls
@@ -53,11 +53,11 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 
 # Only constrain open, not read/write.
 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
+# Subject must dominate object unless the subject is trusted.
 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
-	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
-	     (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
 
 #
 # Constraints for file types other than app data files.
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41bd19c50f3e2e9d8bc3c0d7d6f9e52b155..c15fa2244b0568269053451110bb560d79c86d10 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -23,7 +23,3 @@ app_domain(untrusted_app)
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 3fa79efcef8b66af46f34f7763551cacbdf874e3..ba2c1e1c7df3ef46087b52580cd0e5ea6b8277cd 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@ untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
 bluetooth_domain(untrusted_app_25)
 
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_25)
-
 # b/34115651 - net.dns* properties read
 # This will go away in a future Android release
 get_prop(untrusted_app_25, net_dns_prop)
diff --git a/public/untrusted_app_25.te b/private/untrusted_app_27.te
similarity index 65%
rename from public/untrusted_app_25.te
rename to private/untrusted_app_27.te
index 4ca6e313447a9cd5c01253bd124cd5062fbeab44..79c776287f5f1766d4543d140cf242871a17bbf0 100644
--- a/public/untrusted_app_25.te
+++ b/private/untrusted_app_27.te
@@ -1,10 +1,14 @@
 ###
-### Untrusted apps.
+### Untrusted_27.
 ###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 27.
+###
+### This file defines the rules for untrusted apps.
 ### Apps are labeled based on mac_permissions.xml (maps signer and
 ### optionally package name to seinfo value) and seapp_contexts (maps UID
 ### and optionally seinfo value to domain for process and type for data
-### directory).  The untrusted_app domain is the default assignment in
+### directory).  The untrusted_app_27 domain is the default assignment in
 ### seapp_contexts for any app with UID between APP_AID (10000)
 ### and AID_ISOLATED_START (99000) if the app has no specific seinfo
 ### value as determined from mac_permissions.xml.  In current AOSP, this
@@ -16,5 +20,9 @@
 ### seapp_contexts.
 ###
 
-type untrusted_app_25, domain;
+typeattribute untrusted_app_27 coredomain;
 
+app_domain(untrusted_app_27)
+untrusted_app_domain(untrusted_app_27)
+net_domain(untrusted_app_27)
+bluetooth_domain(untrusted_app_27)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 5d0461d1b2ed7a4bc62b60600f8ad0893505980c..feac216eff42139bfe12d3111917fe9299cf70a1 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -133,3 +133,7 @@ dontaudit untrusted_app_all net_dns_prop:file read;
 dontaudit untrusted_app_all proc_stat:file read;
 dontaudit untrusted_app_all proc_vmstat:file read;
 dontaudit untrusted_app_all proc_uptime:file read;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_all)
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 6f29396c3fd53ab3985775ed2a750e5a6ffdd162..5289bf96b9c856c30d69e3db37fd4dce03e0f792 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,3 +17,5 @@
 ###
 
 type untrusted_app, domain;
+type untrusted_app_27, domain;
+type untrusted_app_25, domain;