diff --git a/app.te b/app.te
index 22168f8918e165678c9ed159c1576eed8698ad4c..b896adadb98c5b665d985d982f8d481b2dd4bfaa 100644
--- a/app.te
+++ b/app.te
@@ -1,68 +1,10 @@
-#
-# Domains for apps that do not run with one of the predefined
-# platform UIDs (system, radio, nfc, ...).
-#
-
-#
-# Apps signed with the platform key.
-#
-type platform_app, domain;
-permissive platform_app;
-app_domain(platform_app)
-platform_app_domain(platform_app)
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-unconfined_domain(platform_app)
-
-# Apps signed with the media key.
-type media_app, domain;
-permissive media_app;
-app_domain(media_app)
-platform_app_domain(media_app)
-# Access the network.
-net_domain(media_app)
-unconfined_domain(media_app)
-relabelto_domain(media_app)
-allow media_app download_file:dir relabelto;
-
-# Apps signed with the shared key.
-type shared_app, domain;
-permissive shared_app;
-app_domain(shared_app)
-platform_app_domain(shared_app)
-# Access the network.
-net_domain(shared_app)
-# Access bluetooth.
-bluetooth_domain(shared_app)
-unconfined_domain(shared_app)
-
-# Apps signed with the release key (testkey in AOSP).
-type release_app, domain;
-permissive release_app;
-app_domain(release_app)
-platform_app_domain(release_app)
-# Access the network.
-net_domain(release_app)
-# Access bluetooth.
-bluetooth_domain(release_app)
-unconfined_domain(release_app)
-
-# Services with isolatedProcess=true in their manifest.
-# In order for isolated_apps to interact with apps that have levelFromUid=true
-# set it must be an mlstrustedsubject.
-type isolated_app, domain, mlstrustedsubject;
-permissive isolated_app;
-app_domain(isolated_app)
-unconfined_domain(isolated_app)
-
-#
-# Untrusted apps.
-#
-type untrusted_app, domain;
-permissive untrusted_app;
-app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
-unconfined_domain(untrusted_app)
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# currently empty
diff --git a/isolated_app.te b/isolated_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..57c357c194fa3c026caaa87aa22b588831d05862
--- /dev/null
+++ b/isolated_app.te
@@ -0,0 +1,15 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+### isolated_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type isolated_app, domain;
+permissive isolated_app;
+app_domain(isolated_app)
+unconfined_domain(isolated_app)
diff --git a/media_app.te b/media_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..f0f987fac796698f54dfddd3e71b181443b08453
--- /dev/null
+++ b/media_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the media key.
+###
+
+type media_app, domain;
+permissive media_app;
+app_domain(media_app)
+platform_app_domain(media_app)
+# Access the network.
+net_domain(media_app)
+unconfined_domain(media_app)
+relabelto_domain(media_app)
+allow media_app download_file:dir relabelto;
diff --git a/platform_app.te b/platform_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..38d8fcd62936c71ef1f8ed728f8a32ef00cf6eea
--- /dev/null
+++ b/platform_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
+permissive platform_app;
+app_domain(platform_app)
+platform_app_domain(platform_app)
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+unconfined_domain(platform_app)
diff --git a/release_app.te b/release_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..285f48300a99d1e6a244b3005f9193c3a1a8c7c2
--- /dev/null
+++ b/release_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the release key (testkey in AOSP).
+###
+
+type release_app, domain;
+permissive release_app;
+app_domain(release_app)
+platform_app_domain(release_app)
+# Access the network.
+net_domain(release_app)
+# Access bluetooth.
+bluetooth_domain(release_app)
+unconfined_domain(release_app)
diff --git a/shared_app.te b/shared_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..b66fbfbe615a21db5be06fcba88f8a368fa070ce
--- /dev/null
+++ b/shared_app.te
@@ -0,0 +1,13 @@
+###
+### Apps signed with the shared key.
+###
+
+type shared_app, domain;
+permissive shared_app;
+app_domain(shared_app)
+platform_app_domain(shared_app)
+# Access the network.
+net_domain(shared_app)
+# Access bluetooth.
+bluetooth_domain(shared_app)
+unconfined_domain(shared_app)
diff --git a/untrusted_app.te b/untrusted_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..f552129e5f51585aa432bca10120750e36ac2203
--- /dev/null
+++ b/untrusted_app.te
@@ -0,0 +1,17 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps. An "untrusted
+### app" is an APP with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000).
+###
+### untrusted_app includes all the appdomain rules, plus the
+### additional following rules:
+###
+
+type untrusted_app, domain;
+permissive untrusted_app;
+app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
+unconfined_domain(untrusted_app)