diff --git a/app.te b/app.te
index 5927eb94ea43ceec3864d7cf712bd63b7f79977a..9101c9bdf5fe159447abc12273d3249d6c5d2004 100644
--- a/app.te
+++ b/app.te
@@ -101,6 +101,9 @@ allow appdomain dex2oat_exec:file rx_file_perms;
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write };
 
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
 # Write to /data/anr/traces.txt.
 allow appdomain anr_data_file:dir search;
 allow appdomain anr_data_file:file { open append };
diff --git a/file.te b/file.te
index ff60c0435beb34c4614a1ae3392b4e82b95813da..7efa324e245395f144bb3ea388522e78bdb80170 100644
--- a/file.te
+++ b/file.te
@@ -101,6 +101,8 @@ type bootchart_data_file, file_type, data_file_type;
 type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/nativetest
 type nativetest_data_file, file_type, data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
@@ -159,7 +161,7 @@ type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
-type wallpaper_file, file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, mlstrustedobject;
 # /mnt/asec
 type asec_apk_file, file_type, data_file_type, mlstrustedobject;
 # Elements of asec files (/mnt/asec) that are world readable
diff --git a/file_contexts b/file_contexts
index ed8e30e6cb56087be5d9922921bd6632672530d7..3b495ec7d6e7a92c4d69824dc075b5a717abd517 100644
--- a/file_contexts
+++ b/file_contexts
@@ -322,10 +322,15 @@
 /data/system/users/[0-9]+/wallpaper_lock	u:object_r:wallpaper_file:s0
 /data/system/users/[0-9]+/wallpaper_orig	u:object_r:wallpaper_file:s0
 /data/system/users/[0-9]+/wallpaper		u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)?          u:object_r:ringtone_file:s0
+
 #############################
 # efs files
 #
 /efs(/.*)?		u:object_r:efs_file:s0
+
 #############################
 # Cache files
 #
diff --git a/mediaserver.te b/mediaserver.te
index 7aa6ec7e0add90ba355b9407657f063b9fa869b6..86164033a75727ae35d56d92438ce6f4f6a592e9 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -45,6 +45,7 @@ allow mediaserver sysfs:file r_file_perms;
 # Read resources from open apk files passed over Binder.
 allow mediaserver apk_data_file:file { read getattr };
 allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
 
 # Read /data/data/com.android.providers.telephony files passed over Binder.
 allow mediaserver radio_data_file:file { read getattr };
diff --git a/system_server.te b/system_server.te
index fc3694955e2d3f7c4ddecfa2b9bcfd84a98fac25..1dd7a6ed474792e5acdbe29981280b94df293931 100644
--- a/system_server.te
+++ b/system_server.te
@@ -291,6 +291,10 @@ allow system_server system_data_file:file relabelfrom;
 allow system_server wallpaper_file:file relabelto;
 allow system_server wallpaper_file:file { rw_file_perms unlink };
 
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
 # FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
 allow system_server system_data_file:dir relabelfrom;