diff --git a/Android.mk b/Android.mk
index fa6cd783615295728902f92250a1dc7d8e051ae3..a3463bb013bfa312470b6fdabf66b99ef74313a6 100644
--- a/Android.mk
+++ b/Android.mk
@@ -2,6 +2,22 @@ LOCAL_PATH:= $(call my-dir)
 
 include $(CLEAR_VARS)
 
+# Force permissive domains to be unconfined+enforcing?
+#
+# During development, this should be set to false.
+# Permissive means permissive.
+#
+# When we're close to a release and SELinux new policy development
+# is frozen, we should flip this to true. This forces any currently
+# permissive domains into unconfined+enforcing.
+#
+FORCE_PERMISSIVE_TO_UNCONFINED:=false
+
+ifeq ($(TARGET_BUILD_VARIANT),user)
+  # User builds are always forced unconfined+enforcing
+  FORCE_PERMISSIVE_TO_UNCONFINED:=true
+endif
+
 # SELinux policy version.
 # Must be <= /selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
@@ -69,7 +85,10 @@ $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
+	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+		-D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \
+		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
diff --git a/bluetooth.te b/bluetooth.te
index a6e0c4e4da5bdba362b8dda49584389719b9a817..6b48ed48da51dfc694f9876178957a01ee927fe9 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,6 +1,6 @@
 # bluetooth subsystem
 type bluetooth, domain;
-permissive bluetooth;
+permissive_or_unconfined(bluetooth)
 app_domain(bluetooth)
 
 # Data file accesses.
@@ -50,4 +50,4 @@ allow bluetooth bluetooth_prop:property_service set;
 
 # Superuser capabilities.
 # bluetooth requires net_admin.
-neverallow bluetooth self:capability ~net_admin;
+neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
diff --git a/dhcp.te b/dhcp.te
index 2baca81a9490dc5ff9bad7f7694baf9154b10f96..785b204094c86c2ba6ace092eb739dc54bae4926 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,5 +1,5 @@
 type dhcp, domain;
-permissive dhcp;
+permissive_or_unconfined(dhcp)
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 
diff --git a/drmserver.te b/drmserver.te
index 112d7a180cf8c497cb97c2e7b35a9a431d03fce0..7bc0b38182d607be215f4e33baf6cd8c70dfd7a2 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,6 +1,6 @@
 # drmserver - DRM service
 type drmserver, domain;
-permissive drmserver;
+permissive_or_unconfined(drmserver)
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index e0fe4ceb80d335bd2ac2220c37a3aa4177e25c1d..fbf9ce923764fa00d9cf75c64471440c73ad523f 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -1,6 +1,6 @@
 # dumpstate
 type dumpstate, domain;
-permissive dumpstate;
+permissive_or_unconfined(dumpstate)
 type dumpstate_exec, exec_type, file_type;
 
 init_daemon_domain(dumpstate)
diff --git a/hci_attach.te b/hci_attach.te
index 2a55d512b177896a539e7898ff336b1124da9d10..5115292e34080ef7ccc47d191fbc967bc6668cfb 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,5 +1,5 @@
 type hci_attach, domain;
-permissive hci_attach;
+permissive_or_unconfined(hci_attach)
 type hci_attach_exec, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
diff --git a/hostapd.te b/hostapd.te
index a934384df1791ae2f622b6cd00db2f4e3539cdcf..efa3a8d533cb1d4c2a421d206c1c084d38322537 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,6 +1,6 @@
 # userspace wifi access points
 type hostapd, domain;
-permissive hostapd;
+permissive_or_unconfined(hostapd)
 type hostapd_exec, exec_type, file_type;
 
 allow hostapd self:capability { net_admin net_raw setuid setgid };
diff --git a/mediaserver.te b/mediaserver.te
index f84a4248cd45bcc2b80af22d90ee29fecb1edb35..7589ee8bac962a5cb8f76ba5a5801766803d9ee4 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,6 +1,6 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-permissive mediaserver;
+permissive_or_unconfined(mediaserver)
 type mediaserver_exec, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
diff --git a/platform_app.te b/platform_app.te
index 40f2dd333cf88ae11a24e872cea2f6b0e9b9ad27..bbbc0f7e6c2b56623573744e7a4820f05f73b7e1 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -3,7 +3,7 @@
 ###
 
 type platform_app, domain;
-permissive platform_app;
+permissive_or_unconfined(platform_app)
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
diff --git a/release_app.te b/release_app.te
index 6be3620acb1015f97ef7c9a9d42355d9a483a71a..69cff196ddbd3a0a118021d04c330b9da1a9a712 100644
--- a/release_app.te
+++ b/release_app.te
@@ -3,7 +3,7 @@
 ###
 
 type release_app, domain;
-permissive release_app;
+permissive_or_unconfined(release_app)
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
diff --git a/rild.te b/rild.te
index 5bc0b6264fe4ca80ba1c3f3194418bf7d2e5fd20..8de5c59adfa1caf5702e98554eb74ef7db5769f7 100644
--- a/rild.te
+++ b/rild.te
@@ -1,6 +1,6 @@
 # rild - radio interface layer daemon
 type rild, domain;
-permissive rild;
+permissive_or_unconfined(rild)
 type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
diff --git a/sdcardd.te b/sdcardd.te
index 4cf080a2363fc8f4ecde4c1cb81ce2baa3528a4c..eb983522c481fb0803675ccabe8dcb2a8716de01 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,5 +1,5 @@
 type sdcardd, domain;
-permissive sdcardd;
+permissive_or_unconfined(sdcardd)
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
diff --git a/shared_app.te b/shared_app.te
index e469bddb3b64701afe2599eecce4a76af0c69da6..4ab90fe26ff2a1f8e689898598991ef117dc790d 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -3,7 +3,7 @@
 ###
 
 type shared_app, domain;
-permissive shared_app;
+permissive_or_unconfined(shared_app)
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 39781fc8a6449a7299554fd8757bca5994d33eea..edbe22ff2e11d66fb42284a9173d0c4e2a0fb7d5 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,6 +1,6 @@
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
-permissive surfaceflinger;
+permissive_or_unconfined(surfaceflinger)
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 63aa76ce2e00efa495031c86701fdd42c5279518..41e446be8db5c359573be939e2db49c50f0247fa 100644
--- a/system_app.te
+++ b/system_app.te
@@ -4,7 +4,7 @@
 # server.
 #
 type system_app, domain;
-permissive system_app;
+permissive_or_unconfined(system_app)
 app_domain(system_app)
 
 # Perform binder IPC to any app domain.
diff --git a/system_server.te b/system_server.te
index 22d739bd268e78f421bca0f050499e68f20e1907..06bca76a6fc4174b4504ef06ba18f99ffa671e80 100644
--- a/system_server.te
+++ b/system_server.te
@@ -3,7 +3,7 @@
 # Most of the framework services run in this process.
 #
 type system_server, domain, mlstrustedsubject;
-permissive system_server;
+permissive_or_unconfined(system_server)
 
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)
diff --git a/te_macros b/te_macros
index 9396e4f7465d4913c595d57e5b5b85eefd1f16e0..03c78f31a3a9b2b4cbed854cb8e70d7dac9d2c0c 100644
--- a/te_macros
+++ b/te_macros
@@ -327,3 +327,14 @@ define(`non_system_app_set', `{ appdomain -system_app }')
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# permissive_or_unconfined
+# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
+# and "unconfined($1)" otherwise.
+#
+# This is used for experimental domains, where we want to ensure
+# the domain is unconfined+enforcing once new SELinux policy development
+# has ceased.
+#
+define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
diff --git a/untrusted_app.te b/untrusted_app.te
index 2630f9e146331a1c76df4738d0690df2bc1dda2b..1904249999acc5f5e85aaeae718918a1e6cd0967 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -10,7 +10,7 @@
 ###
 
 type untrusted_app, domain;
-permissive untrusted_app;
+permissive_or_unconfined(untrusted_app)
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 12202fb7130a2ab093c3f8fa53eb255f5f892a42..6ff1e106f3e7562a9500c8494490c004da694ef1 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -1,6 +1,6 @@
 # wpa - wpa supplicant or equivalent
 type wpa, domain;
-permissive wpa;
+permissive_or_unconfined(wpa)
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)