diff --git a/private/attributes b/private/attributes
new file mode 100644
index 0000000000000000000000000000000000000000..fcbfecfb26a5495ae07230da0734a58971291187
--- /dev/null
+++ b/private/attributes
@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
diff --git a/private/clatd.te b/private/clatd.te
index 5ba0fc5cdcb99da7e531a630fc50aa621714dbf4..c09398dddbc0a30ca85eabdf924a7879bd729b74 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -1 +1,2 @@
 typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index fd45484f4db5bce7e3945b95dff8a76633e9d160..89c3970afcd68562e594a949c00a78e3ba2eb82a 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1 +1,2 @@
 typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;
diff --git a/private/dhcp.te b/private/dhcp.te
index b2f8ac7c747cf6bba0fe8080fa1afb8348b9ae95..6a6a139e28c9c63a08e3f39d2973f5cab63ac360 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,5 @@
 typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
 
 init_daemon_domain(dhcp)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/public/domain_deprecated.te b/private/domain_deprecated.te
similarity index 97%
rename from public/domain_deprecated.te
rename to private/domain_deprecated.te
index a17c105c65ef89d38e327f783eac0b3be027ce24..fc77b11a163355f527ddb5f71740442a338c6787 100644
--- a/public/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -37,7 +37,6 @@ auditallow {
   domain_deprecated
   -fsck
   -fsck_untrusted
-  -rild
   -sdcardd
   -system_server
   -update_engine
@@ -47,7 +46,6 @@ auditallow {
   domain_deprecated
   -fsck
   -fsck_untrusted
-  -rild
   -system_server
   -vold
 } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -56,7 +54,6 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
-  -rild
   -recovery
   -system_app
   -surfaceflinger
@@ -70,7 +67,6 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
-  -rild
   -recovery
   -system_app
   -surfaceflinger
@@ -84,7 +80,6 @@ auditallow {
   -fingerprintd
   -healthd
   -netd
-  -rild
   -recovery
   -system_app
   -surfaceflinger
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f81526cddc1f713b42a4f2e83c97882c1d82dd..0fe2adfc68137d9099233ce0924f2471b7082460 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,4 +1,5 @@
 typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
 
 init_daemon_domain(dumpstate)
 
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index eb73ef8ccf9a3129f5a635c3f390d1177277e6f5..0c1dfaa3748abb9a8c90e0c9edc48ce82a76c0a8 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,4 @@
 typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
 
 init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329f7cca371944b2835dee1854966a754269..e8467972fa00cab78cf61c76d722638d01f7a296 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,4 @@
 typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
 
 init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 9a57bf02771bb2a06bf59d5b0a922e96dcb81aa6..2a1a39f46d1850e97b26ba177b748a9ed23a7550 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1 +1,2 @@
 typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;
diff --git a/private/installd.te b/private/installd.te
index f74843dd135d4f6550d2dc6ff8c58e1ac343c550..d726e7df2e5165f8b8f649ceb2b90d4cae803a9a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,4 +1,5 @@
 typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
 
 init_daemon_domain(installd)
 
diff --git a/private/keystore.te b/private/keystore.te
index 6aa888429255afbd4cc7edc8bf27c536b55afd33..76aa02de3f911b169d0a87f4f1f24d748671b8f6 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,4 @@
 typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
 
 init_daemon_domain(keystore)
diff --git a/private/mtp.te b/private/mtp.te
index 732e111ed0b42407b3076a9ce971946b9a01e818..3cfda0b1aba7a7c0f15f0a7365e2475fe7c9a49f 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,4 @@
 typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
 
 init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index f501f25e9f56361cb38813acec88f440a1ad7ee1..3a824af13668b28303a126ca44c371ff887d52e3 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
 typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
 
 init_daemon_domain(netd)
 
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 9c249fd9a069e4c455afaa2cba281610312f4a60..a655f1d340320aa8c17cf0ef741ad35a70003abd 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,4 +1,5 @@
 userdebug_or_eng(`
   typeattribute perfprofd coredomain;
+  typeattribute perfprofd domain_deprecated;
   init_daemon_domain(perfprofd)
 ')
diff --git a/private/ppp.te b/private/ppp.te
index 968b221b688ffe92f04a98d4211648a26d1e7ffc..9b301f4757ba1bf92cd076bb6a8236c5f6191138 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,4 @@
 typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
 
 domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/radio.te b/private/radio.te
index b4f539048f3b56816ff9f011a6d1cf0349d6ef6b..83b5b416b248c2533f353e4afa62b8e7e585118e 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1,5 @@
 typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
 
 app_domain(radio)
 
diff --git a/private/recovery.te b/private/recovery.te
index 2a7fdc7e1d3ad16a0b8f211def5313f91376c7dd..b7b2847ecf6ef7bf099abb02e5593912806167d3 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1 +1,2 @@
 typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;
diff --git a/private/runas.te b/private/runas.te
index ef31aac3471736662b840960b05e242ccb80856d..73a91ffd68f32ec11d3b2e40a927eb2c741cef30 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,5 @@
 typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 126d643490d7081ad0db7db021320aa74af171b8..ac6bb4e2c4da4da1493109efe95e4cf23b345d39 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,4 @@
 typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
 
 type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f7206829d2901285479f95ed49fa656327e0d1..8d06294d96a53ee83b7109af1e3781ca3fa4a85f 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,4 +1,5 @@
 typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
 
 # The shared relro process is a Java program forked from the zygote, so it
 # inherits from app to get basic permissions it needs to run.
diff --git a/private/ueventd.te b/private/ueventd.te
index 1bd67735e99dc6ea00b17af8db5e4f03550311df..0df587fffd1a5fd3cb81b3d3175c2a1d6a5b5014 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,4 @@
 typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
 
 tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e4e9224d9d54910d303676d82c2a2b2ae3473f58..fde686be99d2b09fbceaafb68a45d864815ab182 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,4 @@
 typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
 
 init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db6817de8df41bab90c9bf82eacde78dcf74..f460272d1dc2bb034678c46e2935bd4415cd5ec8 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,4 @@
 typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
 
 init_daemon_domain(update_engine);
diff --git a/private/vold.te b/private/vold.te
index a6d1001d1d48325e4fff25e4c15d888023ae297a..f2416f895e98f1586ec1b7d983b259627f70f5d3 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,4 +1,5 @@
 typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
 
 init_daemon_domain(vold)
 
diff --git a/public/attributes b/public/attributes
index d729a7b633a8201ab247c3d140e8aba772ac416f..43c240bd7f1ff4e5303fb17a080d2230b2f0c42e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -10,16 +10,6 @@ attribute dev_type;
 # All types used for processes.
 attribute domain;
 
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
-
 # All types used for filesystems.
 # On change, update CHECK_FC_ASSERT_ATTRS
 # definition in tools/checkfc.c.
diff --git a/public/clatd.te b/public/clatd.te
index 8632087a1035046927df84192ebb906d24a79f2d..212b76edee64ff5ceb097bc7511c6757a3b074c0 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -1,5 +1,5 @@
 # 464xlat daemon
-type clatd, domain, domain_deprecated;
+type clatd, domain;
 type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 4ae45ca294af9c810d7da45d5cf4eed5628e7750..113a86f6dba000cda21e46a884b836d929ca25ad 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -1,5 +1,5 @@
 # dex2oat
-type dex2oat, domain, domain_deprecated;
+type dex2oat, domain;
 type dex2oat_exec, exec_type, file_type;
 
 r_dir_file(dex2oat, apk_data_file)
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4ad11fd47d19b304d4c85613e9609bba558..a2cfcdf9019d53da3515ea8fadd0fccd29aba3a3 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,4 +1,4 @@
-type dhcp, domain, domain_deprecated;
+type dhcp, domain;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 57cde1db053fc2b4271aadf4c22fed6afa8310d0..5dd18a352a26df126f30b06f2ac5d4d1eaf66d4e 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,4 +1,4 @@
-type fingerprintd, domain, domain_deprecated;
+type fingerprintd, domain;
 type fingerprintd_exec, exec_type, file_type;
 
 binder_use(fingerprintd)
diff --git a/public/fsck.te b/public/fsck.te
index 8f3b17a4ad5b3132803b1d38a6011a2e88803a78..b682a877f0de5c1d6b7eac98fad9e3fc2e1eeb19 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -1,5 +1,5 @@
 # Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
 type fsck_exec, exec_type, file_type;
 
 # /dev/__null__ created by init prior to policy load,
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index a9dd8055a6ea9112f157f4999be5f936b2105c66..e2aceb87b00b4abc470fb121a7502951388c5312 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -1,5 +1,5 @@
 # Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;
 
 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/public/installd.te b/public/installd.te
index df14956c001ee5682ae093381c6022ab57b5e7f7..1292e824ae1473bbdcc6177bd8c17288768f1f1e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -1,5 +1,5 @@
 # installer daemon
-type installd, domain, domain_deprecated;
+type installd, domain;
 type installd_exec, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
diff --git a/public/keystore.te b/public/keystore.te
index 55cafc541e70e6d3af4a8709381948a9d308900a..22d86be571148dd9536eac4cd649f95f97150971 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain, domain_deprecated;
+type keystore, domain;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
diff --git a/public/mtp.te b/public/mtp.te
index 0ca7cea357b0fb7f247d60c2d186af97e7bf1c72..a77624064677516b6531cc1a1ba1333b744b4772 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,5 +1,5 @@
 # vpn tunneling protocol manager
-type mtp, domain, domain_deprecated;
+type mtp, domain;
 type mtp_exec, exec_type, file_type;
 
 net_domain(mtp)
diff --git a/public/netd.te b/public/netd.te
index 1442be7cf5a37c89e88999c3b572c38d49dc9169..2d72eeb33d6b187ee8e1dea30cf465401661b0d3 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -1,5 +1,5 @@
 # network manager
-type netd, domain, domain_deprecated, mlstrustedsubject;
+type netd, domain, mlstrustedsubject;
 type netd_exec, exec_type, file_type;
 
 net_domain(netd)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f0df6a0aa89859e3923652e1f2ea8cf8b1d2ca1e..bfb8693fa47d8e98181656bae333410bee868d52 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -4,7 +4,6 @@ type perfprofd_exec, exec_type, file_type;
 
 userdebug_or_eng(`
 
-  typeattribute perfprofd domain_deprecated;
   typeattribute perfprofd coredomain;
   typeattribute perfprofd mlstrustedsubject;
 
diff --git a/public/ppp.te b/public/ppp.te
index 7a5eada59b382c2caab6a361fd78709cdc04c598..06945216318785a7d475bf3834ddb2bfe8f680ac 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,5 +1,5 @@
 # Point to Point Protocol daemon
-type ppp, domain, domain_deprecated;
+type ppp, domain;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 
diff --git a/public/radio.te b/public/radio.te
index a8966599b99e1c31f2359c1c147f112180997f37..e8ceb8bc84047d56b070a228b72f256dc5af8996 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,5 +1,5 @@
 # phone subsystem
-type radio, domain, domain_deprecated, mlstrustedsubject;
+type radio, domain, mlstrustedsubject;
 
 net_domain(radio)
 bluetooth_domain(radio)
diff --git a/public/recovery.te b/public/recovery.te
index fe02a08109d7082367022db440fb32355362d2af..eefd7665eb1c36cdd9ca2f360017747b4990fb6d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -2,7 +2,7 @@
 
 # Declare the domain unconditionally so we can always reference it
 # in neverallow rules.
-type recovery, domain, domain_deprecated;
+type recovery, domain;
 
 # But the allow rules are only included in the recovery policy.
 # Otherwise recovery is only allowed the domain rules.
diff --git a/public/rild.te b/public/rild.te
index e4b01869064be3858275b2f1c5237c9ceb34e1d1..14420dffb5d976f54a3034700add458a19423d3d 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,5 +1,5 @@
 # rild - radio interface layer daemon
-type rild, domain, domain_deprecated;
+type rild, domain;
 hal_server_domain(rild, hal_telephony)
 
 net_domain(rild)
diff --git a/public/runas.te b/public/runas.te
index 44e8e3ab17f67b6c62b0e2b0f58ec0a1c09cded0..25184092c8f769d5214397e6982d416861176baa 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,4 +1,4 @@
-type runas, domain, domain_deprecated, mlstrustedsubject;
+type runas, domain, mlstrustedsubject;
 type runas_exec, exec_type, file_type;
 
 allow runas adbd:fd use;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 3cb69be63bee5107753e91d48bb0292e9ac762dd..47a2f80611516032ba54c033b6081a025a1d236d 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
 type sdcardd_exec, exec_type, file_type;
 
 allow sdcardd cgroup:dir create_dir_perms;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 9794b0b8a690f305c95ec757176c96d79c376345..91cf44d0244adc49669c7f98fee241445f37c27b 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,5 +1,5 @@
 # Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
+type shared_relro, domain;
 
 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/tee.te b/public/tee.te
index a95be88349bf036c840e0aa73035feb898a228ed..31ce541c86e0eb803f9c002f8d97f93e516a5fbc 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -1,7 +1,7 @@
 ##
 # trusted execution environment (tee) daemon
 #
-type tee, domain, domain_deprecated;
+type tee, domain;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c89508b09d1639adefda2f6e5a5995a0266..8cfd643e037b5012e2422c9b687b74a6ab8290a7 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -1,6 +1,6 @@
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
+type ueventd, domain;
 
 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 6d3ee106d20216810572847a4abe9a51679cf4da..d10eb3916849529ef485f845e7c62918d739f83a 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -1,5 +1,5 @@
 # uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
+type uncrypt, domain, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;
 
 allow uncrypt self:capability dac_override;
diff --git a/public/update_engine.te b/public/update_engine.te
index 33eb2a80e681fb018b57dba115722a05f775a365..f32eb303da79b7b4cc2a7e09f133227f56f4dd36 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,5 +1,5 @@
 # Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated, update_engine_common;
+type update_engine, domain, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
diff --git a/public/vold.te b/public/vold.te
index 7503d8f4fd5c291cace6d39da87d48cb800c91b5..56a9370c4c38a069d521667a96166b4a4da6cb9f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -1,5 +1,5 @@
 # volume manager
-type vold, domain, domain_deprecated;
+type vold, domain;
 type vold_exec, exec_type, file_type;
 
 # Read already opened /cache files.