diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index a96bff7c0effd109265047cd6b8377a16f3079e0..481cfa5ce7fa6747b78a5519a0ed846f4f3dbd23 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -11,7 +11,7 @@
 ###
 ### PackageManager flags an app as ephemeral at install time.
 type ephemeral_app, domain;
-
+net_domain(ephemeral_app)
 # allow JITing
 allow ephemeral_app self:process execmem;
 allow ephemeral_app ashmem_device:chr_file execute;
@@ -38,6 +38,11 @@ allow ephemeral_app zygote:unix_dgram_socket write;
 allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
 allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
 
+# Keychain and user-trusted credentials
+r_dir_file(ephemeral_app, keychain_data_file)
+allow ephemeral_app misc_user_data_file:dir r_dir_perms;
+allow ephemeral_app misc_user_data_file:file r_file_perms;
+
 # Allow apps to read/execute installed binaries
 allow ephemeral_app ephemeral_apk_data_file:dir search;
 allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
diff --git a/public/net.te b/public/net.te
index 4616eb170d941cf490f8a69585b26882741e107a..9345454cad3e21fb53b4e0c03bbb751b703cb7df 100644
--- a/public/net.te
+++ b/public/net.te
@@ -9,9 +9,9 @@ allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
 # Connect to ports.
 allow netdomain port_type:tcp_socket name_connect;
 # Bind to ports.
-allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
 # See changes to the routing table.
 allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };