diff --git a/app.te b/app.te
index 5917f7c6d35465f2c19f92a56e0c9766aea09548..73fb68bd7bd37e3ec6bd58b410e98fe7e0bf6291 100644
--- a/app.te
+++ b/app.te
@@ -58,6 +58,9 @@ allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file
allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open execmod };
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
# Keychain and user-trusted credentials
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
diff --git a/file.te b/file.te
index bbfd665c88110511e39c4d0e9dae6ef6cab33109..25c3b7e29a7048472d411ec4fda1c6538c22e538 100644
--- a/file.te
+++ b/file.te
@@ -86,6 +86,7 @@ type bootchart_data_file, file_type, data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
type mnt_user_file, file_type;
+type mnt_expand_file, file_type;
type storage_file, file_type;
# Label for storage dirs which are just mount stubs
diff --git a/file_contexts b/file_contexts
index 7ef7b3cddfd193332f055424cb8773a9f613a8f6..b66c2e07c274124bddc22d3bf6f4ae64b56e8078 100644
--- a/file_contexts
+++ b/file_contexts
@@ -190,6 +190,9 @@
#############################
# Data files
#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
/data(/.*)? u:object_r:system_data_file:s0
/data/.layout_version u:object_r:install_data_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
@@ -244,6 +247,18 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
diff --git a/system_server.te b/system_server.te
index 27fd704a945b2ebc6bbd9e1f7326be9fd1954cd7..02acf4e1081d39821de13577f8ab5dd443794f72 100644
--- a/system_server.te
+++ b/system_server.te
@@ -456,6 +456,9 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
# we shouldn't be killed during unsafe removal
allow system_server sdcard_type:dir { getattr search };
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
###
### Neverallow rules
###
diff --git a/vold.te b/vold.te
index dfdc3d97777c82a5305e290c4c851761957d48ed..b534c1e8f7933c691189c1e83a60dd2cf89ca54a 100644
--- a/vold.te
+++ b/vold.te
@@ -52,6 +52,12 @@ allow vold sdcard_type:filesystem { mount unmount remount };
allow vold mnt_user_file:dir create_dir_perms;
allow vold mnt_user_file:lnk_file create_file_perms;
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold media_rw_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
@@ -95,8 +101,8 @@ allow vold labeledfs:filesystem { mount unmount remount };
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
-# Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { create rw_dir_perms mounton };
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;