diff --git a/app.te b/app.te
index be3ead8759882c687d01fa47743845a81ef358d3..9a3ccc444b2055ade354d1f5d5c0e5bf32ccd4c4 100644
--- a/app.te
+++ b/app.te
@@ -53,6 +53,12 @@ allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file
 allow appdomain system_data_file:dir r_dir_perms;
 allow appdomain system_data_file:file { execute execute_no_trans open execmod };
 
+# Keychain and user-trusted credentials
+allow appdomain keychain_data_file:dir r_dir_perms;
+allow appdomain keychain_data_file:file r_file_perms;
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
 # Access to OEM provided data and apps
 allow appdomain oemfs:dir r_dir_perms;
 allow appdomain oemfs:file rx_file_perms;
diff --git a/file.te b/file.te
index cc11677d6a6bccc69f4832c65581c6083f18fc1c..8f9d7abc6ba1bd4407d652352ca380e539fb6ac8 100644
--- a/file.te
+++ b/file.te
@@ -80,9 +80,11 @@ type adb_keys_file, file_type, data_file_type;
 type audio_data_file, file_type, data_file_type;
 type bluetooth_data_file, file_type, data_file_type;
 type camera_data_file, file_type, data_file_type;
+type keychain_data_file, file_type, data_file_type;
 type keystore_data_file, file_type, data_file_type;
 type media_data_file, file_type, data_file_type;
 type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type;
 type net_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 2efd7e957fd906591e93ae71affa15b5cbcc7100..a683873a97a75bd70f8e442fe035ba88b24f04e5 100644
--- a/file_contexts
+++ b/file_contexts
@@ -206,12 +206,14 @@
 /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
 /data/misc/camera(/.*)?         u:object_r:camera_data_file:s0
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
+/data/misc/keychain(/.*)?       u:object_r:keychain_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
 /data/misc/net(/.*)?            u:object_r:net_data_file:s0
 /data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
+/data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
 /data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
 /data/misc/wifi(/.*)?           u:object_r:wifi_data_file:s0
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
diff --git a/installd.te b/installd.te
index 6257edeb6fb719daa9d4c448fd5336abdd3cf1a2..6b1b2b8e1ccb6cf1f747da74393f8740993568f6 100644
--- a/installd.te
+++ b/installd.te
@@ -37,6 +37,12 @@ allow installd media_rw_data_file:file { getattr unlink };
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;
 
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 allow installd install_data_file:file create_file_perms;
diff --git a/system_app.te b/system_app.te
index fcf0f16b9a1414333adaa70a88b0c99b8f8ace43..6fe8106a8efa6f10952bf64a54ab0e2246a25fc6 100644
--- a/system_app.te
+++ b/system_app.te
@@ -12,10 +12,16 @@ binder_service(system_app)
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:file create_file_perms;
 
+# Read /data/misc/keychain subdirectory.
+allow system_app keychain_data_file:dir r_dir_perms;
+allow system_app keychain_data_file:file r_file_perms;
+
 # Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/keychain.
+# /data/system/cache and /data/misc/user.
 allow system_app system_data_file:dir create_dir_perms;
 allow system_app system_data_file:file create_file_perms;
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
 # Audit writes to these directories and files so we can identify
 # and possibly move these directories into their own type in the future.
 auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
diff --git a/system_server.te b/system_server.te
index 0ea72032a9910a83fcd3a4b6c3d57268350bc0f2..f17f8d3178efd7ae68817cafb654104145c99c8f 100644
--- a/system_server.te
+++ b/system_server.te
@@ -173,6 +173,8 @@ allow system_server tun_device:chr_file rw_file_perms;
 # Manage system data files.
 allow system_server system_data_file:dir create_dir_perms;
 allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
 
 # Manage /data/app.
 allow system_server apk_data_file:dir create_dir_perms;
diff --git a/zygote.te b/zygote.te
index 4c6276c8c5057653a517d3bd9552e82482e1c8b9..5ee4eb8e955a4a903bd83585282c8f124d30408d 100644
--- a/zygote.te
+++ b/zygote.te
@@ -21,6 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
 # Read system data.
 allow zygote system_data_file:dir r_dir_perms;
 allow zygote system_data_file:file r_file_perms;
+# Read system security data.
+allow zygote keychain_data_file:dir r_dir_perms;
+allow zygote keychain_data_file:file r_file_perms;
 # Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;