diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 927296d2afaff1b4e855434d789543ac341acf16..48b4594d970324dc232eb51ef1c191d721cdc836 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -28,6 +28,13 @@
package_native_service
property_info
slice_service
+ stats
+ stats_data_file
+ stats_exec
+ stats_service
+ statsd
+ statsd_exec
+ statsd_tmpfs
statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
diff --git a/private/file.te b/private/file.te
index 5b4dbc804f0d635bdb74b67e4ce5bcf69c6a23b2..5ff77680e0ade48eb5ba56a32390eb924d4f8e34 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,6 +1,9 @@
# /proc/config.gz
type config_gz, fs_type;
+# /data/misc/stats-data, /data/misc/stats-service
+type stats_data_file, file_type, data_file_type, core_data_file_type;
+
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ad6a9222d6eba6f7a6aaaef0e2122c56a05a33c8..c9398534570bfdbc89d6ca5e4869784aa222264e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -277,6 +277,8 @@
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
+/system/bin/stats u:object_r:stats_exec:s0
+/system/bin/statsd u:object_r:statsd_exec:s0
#############################
# Vendor files
@@ -384,6 +386,8 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
diff --git a/private/service.te b/private/service.te
new file mode 100644
index 0000000000000000000000000000000000000000..3fec8825a777cbcd7c68feb024999a109ffeab08
--- /dev/null
+++ b/private/service.te
@@ -0,0 +1,2 @@
+type stats_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 6451ffced599653b4118840bf75b948c464b71d6..6a8843fc0b7c7a842d86ad70e96da0a0e4643d31 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -142,6 +142,7 @@ simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
+stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
diff --git a/private/stats.te b/private/stats.te
new file mode 100644
index 0000000000000000000000000000000000000000..be8cfbd25dabac7451790a18e92ace1fa51b57a2
--- /dev/null
+++ b/private/stats.te
@@ -0,0 +1,25 @@
+type stats, domain;
+typeattribute stats coredomain;
+type stats_exec, exec_type, file_type;
+
+# switch to stats domain for stats command
+domain_auto_trans(shell, stats_exec, stats)
+
+# allow stats access to stdout from its parent shell.
+allow stats shell:fd use;
+
+# allow stats to communicate use, read and write over the adb
+# connection.
+allow stats adbd:fd use;
+allow stats adbd:unix_stream_socket { read write };
+
+# allow adbd to reap stats
+allow stats adbd:process { sigchld };
+
+# Allow the stats command to talk to the statsd over the binder, and get
+# back the stats report data from a ParcelFileDescriptor.
+binder_use(stats)
+allow stats stats_service:service_manager find;
+binder_call(stats, statsd)
+allow stats statsd:fifo_file write;
+
diff --git a/private/statsd.te b/private/statsd.te
new file mode 100644
index 0000000000000000000000000000000000000000..82691d3a3fd8e8373e49cac6879f8a3a46927482
--- /dev/null
+++ b/private/statsd.te
@@ -0,0 +1,72 @@
+type statsd, domain;
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
+
+type statsd_exec, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, incidentd)
+binder_call(statsd, statscompanion_service)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ statscompanion_service
+ app_api_service
+ system_api_service
+}:service_manager find;
+
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+###
+### neverallow rules
+###
+
+# Only system_server, system_app, and stats command can find the stats service.
+neverallow {
+ domain
+ -dumpstate
+ -shell
+ -stats
+ -statsd
+ -system_app
+ -system_server
+} stats_service:service_manager find;
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
+
diff --git a/private/system_server.te b/private/system_server.te
index 7b0aad15021fb46c5814126438736649dec15d22..7d7a1a689874cd80f25f44f733a0af2a88991cd6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -169,6 +169,7 @@ binder_call(system_server, gatekeeperd)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, vold)
binder_call(system_server, wificond)
@@ -578,6 +579,7 @@ allow system_server mediadrmserver_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
+allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
@@ -800,5 +802,3 @@ neverallow system_server { domain -system_server }:process ptrace;
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
-# TODO(b/67468181): Remove following lines upon resolution of this bug
-dontaudit system_server statscompanion_service:service_manager { add find };
diff --git a/public/service.te b/public/service.te
index 6dec274a0c170f4db2f12e745012da39feef5cc1..b421c97d39deec455a8457878d55a694b7acad84 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,7 +21,6 @@ type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
-type statscompanion_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;