diff --git a/device.te b/device.te
index b1b4582f744971ee85617a8d20b92d508cad4805..6457017d3cd5217425c48419ac207aad55b90b71 100644
--- a/device.te
+++ b/device.te
@@ -54,6 +54,7 @@ type usbaccessory_device, dev_type, mlstrustedobject;
 type usb_device, dev_type, mlstrustedobject;
 type klog_device, dev_type;
 type properties_device, dev_type;
+type properties_serial, dev_type;
 type i2c_device, dev_type;
 
 # All devices have a uart for the hci
diff --git a/domain.te b/domain.te
index 2d11bf7fb31a7eb1029b29c34bce8f8c82288130..02b884f15c79c61896bffdbf53edd33ff3e30f68 100644
--- a/domain.te
+++ b/domain.te
@@ -76,7 +76,14 @@ allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
-allow domain properties_device:file r_file_perms;
+allow domain properties_device:dir r_dir_perms;
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access all property files
+get_prop(domain, property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts:file r_file_perms;
+
 allow domain init:key search;
 allow domain vold:key search;
 
diff --git a/file.te b/file.te
index 1d444dd652e3ee1b93449e544d982d7412126be4..9251741e5a5635fc941ea7b16aaadbcfa98d7684 100644
--- a/file.te
+++ b/file.te
@@ -192,6 +192,9 @@ type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;
 
+# property_contexts file
+type property_contexts, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index a74f8f86ace36b78382eb63b1ebbf195d71f6bda..152dfb4aeaa6b8511bc54c9ae9ca8b0d9f73b94a 100644
--- a/file_contexts
+++ b/file_contexts
@@ -34,7 +34,7 @@
 
 # SELinux policy files
 /file_contexts\.bin u:object_r:rootfs:s0
-/property_contexts  u:object_r:rootfs:s0
+/property_contexts  u:object_r:property_contexts:s0
 /seapp_contexts     u:object_r:rootfs:s0
 /sepolicy           u:object_r:rootfs:s0
 /service_contexts   u:object_r:rootfs:s0
diff --git a/init.te b/init.te
index e6c782584caeca032d72c4ff324da6795f9f5c6c..d07c5a7b698369df121574a644992ac6ab3e327e 100644
--- a/init.te
+++ b/init.te
@@ -14,8 +14,9 @@ allow init tmpfs:chr_file create_file_perms;
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/__properties__
-allow init tmpfs:file relabelfrom;
-allow init properties_device:file relabelto;
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };
 
 # setrlimit
 allow init self:capability sys_resource;
diff --git a/property.te b/property.te
index 07b50911e380828a6f693db261f8544028224bc1..9e97b602761f9a7025dc277631bbf5a617f981b0 100644
--- a/property.te
+++ b/property.te
@@ -30,3 +30,5 @@ type powerctl_prop, property_type;
 type nfc_prop, property_type;
 type dalvik_prop, property_type;
 type config_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
diff --git a/te_macros b/te_macros
index 1936ffbc236a8cd44e3773dd11d25ee9aa54ecd5..37b33a90bda2beeb0ca2e39298ebade9a0c85f1a 100644
--- a/te_macros
+++ b/te_macros
@@ -152,6 +152,15 @@ __unix_socket_connect__($1, property, init)
 allow $1 $2:property_service set;
 ')
 
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
 #####################################
 # unix_socket_send(clientdomain, socket, serverdomain)
 # Allow a local socket send from clientdomain via