diff --git a/app.te b/app.te
index 438e01f466255b4617e6f36507eb7e924ee15afc..6a74da8846c8fd2c492ca5945ad730a57e15ffd3 100644
--- a/app.te
+++ b/app.te
@@ -101,6 +101,9 @@ allow appdomain dex2oat_exec:file rx_file_perms;
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write };
 
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
 # Write to /data/anr/traces.txt.
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
diff --git a/file.te b/file.te
index ff60c0435beb34c4614a1ae3392b4e82b95813da..7efa324e245395f144bb3ea388522e78bdb80170 100644
--- a/file.te
+++ b/file.te
@@ -101,6 +101,8 @@ type bootchart_data_file, file_type, data_file_type;
 type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/nativetest
 type nativetest_data_file, file_type, data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
@@ -159,7 +161,7 @@ type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
-type wallpaper_file, file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, mlstrustedobject;
 # /mnt/asec
 type asec_apk_file, file_type, data_file_type, mlstrustedobject;
 # Elements of asec files (/mnt/asec) that are world readable
diff --git a/file_contexts b/file_contexts
index ed8e30e6cb56087be5d9922921bd6632672530d7..3b495ec7d6e7a92c4d69824dc075b5a717abd517 100644
--- a/file_contexts
+++ b/file_contexts
@@ -322,10 +322,15 @@
 /data/system/users/[0-9]+/wallpaper_lock	u:object_r:wallpaper_file:s0
 /data/system/users/[0-9]+/wallpaper_orig	u:object_r:wallpaper_file:s0
 /data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)?          u:object_r:ringtone_file:s0
+
 #############################
 # efs files
 #
 /efs(/.*)?		u:object_r:efs_file:s0
+
 #############################
 # Cache files
 #
diff --git a/mediaserver.te b/mediaserver.te
index a305060402e204a82215cf30027f07ef9ac5d824..209b98a6aa1b11b1f710a7ecd1b6906b479ca983 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -45,6 +45,7 @@ allow mediaserver sysfs:file r_file_perms;
 # Read resources from open apk files passed over Binder.
 allow mediaserver apk_data_file:file { read getattr };
 allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
 
 # Read /data/data/com.android.providers.telephony files passed over Binder.
 allow mediaserver radio_data_file:file { read getattr };
diff --git a/system_server.te b/system_server.te
index 2e131b34f8be86dd821d05add8971a50cd090674..076a6bafd4f614f33a56eb4243814b9545f06c55 100644
--- a/system_server.te
+++ b/system_server.te
@@ -290,6 +290,10 @@ allow system_server system_data_file:file relabelfrom;
 allow system_server wallpaper_file:file relabelto;
 allow system_server wallpaper_file:file { rw_file_perms unlink };
 
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
 # FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
 allow system_server system_data_file:dir relabelfrom;