diff --git a/adbd.te b/adbd.te
index 57b1e48e0b65475ab5914de03f53b3c83a218eac..a74d10bd477db9324390b738e900edd5f9447dfc 100644
--- a/adbd.te
+++ b/adbd.te
@@ -42,10 +42,9 @@ allow adbd anr_data_file:dir r_dir_perms;
 allow adbd anr_data_file:file r_file_perms;
 
 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-unix_socket_connect(adbd, property, init)
-allow adbd shell_prop:property_service set;
-allow adbd powerctl_prop:property_service set;
-allow adbd ffs_prop:property_service set;
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
 
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
diff --git a/bluetooth.te b/bluetooth.te
index 890c1d98b93b90ba626c7556010ad7ca32ed30bb..847b11eb570079dd6243a9f8a99fcac932cdbe2d 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -38,16 +38,13 @@ allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read
 allow bluetooth self:tun_socket create_socket_perms;
 allow bluetooth efs_file:dir search;
 
-# Talk to init over the property socket.
-unix_socket_connect(bluetooth, property, init)
-
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 
 # Allow write access to bluetooth specific properties
-allow bluetooth bluetooth_prop:property_service set;
-allow bluetooth pan_result_prop:property_service set;
-allow bluetooth ctl_dhcp_pan_prop:property_service set;
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+set_prop(bluetooth, ctl_dhcp_pan_prop)
 
 allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
diff --git a/dhcp.te b/dhcp.te
index 32a6cccb147bb811663e2e02ba0ddcf9874ec24c..cbf105c65629329aeefd8f62ece8648a862a70e2 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,9 +13,9 @@ allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
-allow dhcp dhcp_prop:property_service set;
-allow dhcp pan_result_prop:property_service set;
-unix_socket_connect(dhcp, property, init)
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
 
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;
diff --git a/healthd.te b/healthd.te
index 2ea825c8f36fc15b996d39e354dd7631cfb4a35e..a1019ee92374b5c5a48d34487579843006c76235 100644
--- a/healthd.te
+++ b/healthd.te
@@ -42,5 +42,4 @@ allow healthd healthd_service:service_manager { add find };
 
 # Healthd needs to tell init to continue the boot
 # process when running in charger mode.
-unix_socket_connect(healthd, property, init)
-allow healthd system_prop:property_service set;
+set_prop(healthd, system_prop)
diff --git a/mediaserver.te b/mediaserver.te
index d269097303bc93228562d3d658c487f9b3c9dbf7..cb0995c42c68e116f45bdee0495ae088262cffaa 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -6,7 +6,6 @@ typeattribute mediaserver mlstrustedsubject;
 
 net_domain(mediaserver)
 init_daemon_domain(mediaserver)
-unix_socket_connect(mediaserver, property, init)
 
 r_dir_file(mediaserver, sdcard_type)
 
@@ -27,7 +26,8 @@ allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
 allow mediaserver tee_device:chr_file rw_file_perms;
-allow mediaserver audio_prop:property_service set;
+
+set_prop(mediaserver, audio_prop)
 
 # Access audio devices at all.
 allow mediaserver audio_device:chr_file rw_file_perms;
diff --git a/netd.te b/netd.te
index f84b45279e5ceeb3918ad48ebf23ac0fb81194b7..d4c51531732bda959472115bd652eb2a7b36588c 100644
--- a/netd.te
+++ b/netd.te
@@ -30,9 +30,8 @@ allow netd proc_net:file write;
 allow netd sysfs:file write;
 
 # Set dhcp lease for PAN connection
-unix_socket_connect(netd, property, init)
-allow netd dhcp_prop:property_service set;
-allow netd system_prop:property_service set;
+set_prop(netd, dhcp_prop)
+set_prop(netd, system_prop)
 auditallow netd system_prop:property_service set;
 
 # Connect to PAN
@@ -62,7 +61,7 @@ allow netd dnsmasq:process signal;
 domain_auto_trans(netd, clatd_exec, clatd)
 allow netd clatd:process signal;
 
-allow netd ctl_mdnsd_prop:property_service set;
+set_prop(netd, ctl_mdnsd_prop)
 
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
diff --git a/nfc.te b/nfc.te
index 8528b4f71994d8714080292813bad946c7c7a936..71841be369ede557d8242059897e8c345d95c377 100644
--- a/nfc.te
+++ b/nfc.te
@@ -5,8 +5,7 @@ net_domain(nfc)
 binder_service(nfc)
 
 # Set NFC properties
-unix_socket_connect(nfc, property, init)
-allow nfc nfc_prop:property_service set;
+set_prop(nfc, nfc_prop)
 
 # NFC device access.
 allow nfc nfc_device:chr_file rw_file_perms;
diff --git a/radio.te b/radio.te
index 92f18d22b4b0126062e106401f360d333011fb35..a01a113769ab03b44897176ba7bb6af4fdf73a26 100644
--- a/radio.te
+++ b/radio.te
@@ -5,9 +5,6 @@ net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)
 
-# Talks to init via the property socket.
-unix_socket_connect(radio, property, init)
-
 # Talks to rild via the rild socket.
 unix_socket_connect(radio, rild, rild)
 
@@ -21,14 +18,14 @@ allow radio net_data_file:dir search;
 allow radio net_data_file:file r_file_perms;
 
 # Property service
-allow radio radio_prop:property_service set;
-allow radio net_radio_prop:property_service set;
-allow radio system_radio_prop:property_service set;
+set_prop(radio, radio_prop)
+set_prop(radio, system_radio_prop)
+set_prop(radio, net_radio_prop)
 auditallow radio net_radio_prop:property_service set;
 auditallow radio system_radio_prop:property_service set;
 
 # ctl interface
-allow radio ctl_rildaemon_prop:property_service set;
+set_prop(radio, ctl_rildaemon_prop)
 
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
diff --git a/recovery.te b/recovery.te
index 85763563f380fb5e17b77d9d7adcef1bed2cd011..29f1a50ec5337b1ad4375e3757169a86fddd4464 100644
--- a/recovery.te
+++ b/recovery.te
@@ -78,11 +78,10 @@ recovery_only(`
   allow recovery cache_file:file create_file_perms;
 
   # Reboot the device
-  allow recovery powerctl_prop:property_service set;
-  unix_socket_connect(recovery, property, init)
+  set_prop(recovery, powerctl_prop)
 
   # Start/stop adbd via ctl.start adbd
-  allow recovery ctl_default_prop:property_service set;
+  set_prop(recovery, ctl_default_prop)
 
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
diff --git a/rild.te b/rild.te
index d8e48d5e67f85148ab81f74391e377d2272ace4a..549a4aa1745f8a287333259b2a15ff35e3e886fc 100644
--- a/rild.te
+++ b/rild.te
@@ -6,7 +6,6 @@ init_daemon_domain(rild)
 net_domain(rild)
 allow rild self:netlink_route_socket nlmsg_write;
 allow rild kernel:system module_request;
-unix_socket_connect(rild, property, init)
 allow rild self:capability { setuid net_admin net_raw };
 allow rild alarm_device:chr_file rw_file_perms;
 allow rild cgroup:dir create_dir_perms;
@@ -26,9 +25,9 @@ allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
 
 # property service
-allow rild radio_prop:property_service set;
-allow rild net_radio_prop:property_service set;
-allow rild system_radio_prop:property_service set;
+set_prop(rild, radio_prop)
+set_prop(rild, net_radio_prop)
+set_prop(rild, system_radio_prop)
 auditallow rild net_radio_prop:property_service set;
 auditallow rild system_radio_prop:property_service set;
 
diff --git a/shell.te b/shell.te
index e7ea149df7781f0b2b14c903b59e4262ea14d8bd..c55ce3e88f211cda601e38bfa2ca3a7e1e1ef6fb 100644
--- a/shell.te
+++ b/shell.te
@@ -41,11 +41,10 @@ allow shell zygote_exec:file rx_file_perms;
 r_dir_file(shell, apk_data_file)
 
 # Set properties.
-unix_socket_connect(shell, property, init)
-allow shell shell_prop:property_service set;
-allow shell ctl_dumpstate_prop:property_service set;
-allow shell debug_prop:property_service set;
-allow shell powerctl_prop:property_service set;
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
 
 # systrace support - allow atrace to run
 # debugfs doesn't support labeling individual files, so we have
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c85df828c68f6888dc5eaabe05124c6f368976a2..26a4e48cf719401822eeacdb98ed752064df5f3b 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -5,9 +5,6 @@ type surfaceflinger_exec, exec_type, file_type;
 init_daemon_domain(surfaceflinger)
 typeattribute surfaceflinger mlstrustedsubject;
 
-# Talk to init over the property socket.
-unix_socket_connect(surfaceflinger, property, init)
-
 # Perform Binder IPC.
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, binderservicedomain)
@@ -37,8 +34,8 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
 allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
 
 # Set properties.
-allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_bootanim_prop:property_service set;
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
diff --git a/system_app.te b/system_app.te
index 964407e6e95a1354b843efe1451cd7e641b6096d..407b85e7de9f4b8309a8cd3dd2fdf07afb1e0327 100644
--- a/system_app.te
+++ b/system_app.te
@@ -31,15 +31,14 @@ auditallow system_app system_data_file:file { create setattr append write link u
 allow system_app wallpaper_file:file r_file_perms;
 
 # Write to properties
-unix_socket_connect(system_app, property, init)
-allow system_app debug_prop:property_service set;
-allow system_app net_radio_prop:property_service set;
-allow system_app system_radio_prop:property_service set;
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, ctl_bugreport_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, system_radio_prop)
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;
-allow system_app system_prop:property_service set;
-allow system_app ctl_bugreport_prop:property_service set;
-allow system_app logd_prop:property_service set;
 
 # Create /data/anr/traces.txt.
 allow system_app anr_data_file:dir ra_dir_perms;
diff --git a/system_server.te b/system_server.te
index d8e59788c3460b0d25cb7d19e609bb67f6ce4072..d225b7c862334c02cc968bbdf3f8ab90316e7aed 100644
--- a/system_server.te
+++ b/system_server.te
@@ -105,7 +105,6 @@ allow system_server self:tun_socket create_socket_perms;
 allow system_server init:process sigchld;
 
 # Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, property, init)
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)
 unix_socket_connect(system_server, mtpd, mtp)
@@ -273,18 +272,18 @@ allow system_server system_data_file:dir relabelfrom;
 allow system_server anr_data_file:dir relabelto;
 
 # Property Service write
-allow system_server system_prop:property_service set;
-allow system_server dhcp_prop:property_service set;
-allow system_server net_radio_prop:property_service set;
-allow system_server system_radio_prop:property_service set;
-allow system_server debug_prop:property_service set;
-allow system_server powerctl_prop:property_service set;
-allow system_server fingerprint_prop:property_service set;
+set_prop(system_server, system_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
 
 # ctl interface
-allow system_server ctl_default_prop:property_service set;
-allow system_server ctl_dhcp_pan_prop:property_service set;
-allow system_server ctl_bugreport_prop:property_service set;
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_dhcp_pan_prop)
+set_prop(system_server, ctl_bugreport_prop)
 
 # Create a socket for receiving info from wpa.
 type_transition system_server wifi_data_file:sock_file system_wpa_socket;
diff --git a/te_macros b/te_macros
index fae0e3a5e98ab22d34cddc88b9cc55041cb433f8..408d9d5fe6cb6bfae5d56cf5147f9512eed10351 100644
--- a/te_macros
+++ b/te_macros
@@ -118,11 +118,31 @@ typeattribute $1 bluetoothdomain;
 # unix_socket_connect(clientdomain, socket, serverdomain)
 # Allow a local socket connection from clientdomain via
 # socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
 define(`unix_socket_connect', `
 allow $1 $2_socket:sock_file write;
 allow $1 $3:unix_stream_socket connectto;
 ')
 
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+')
+
 #####################################
 # unix_socket_send(clientdomain, socket, serverdomain)
 # Allow a local socket send from clientdomain via
diff --git a/uncrypt.te b/uncrypt.te
index 743236d484ae6d4f52a53a35f84df6379d2eb6bb..f701084e2330e7c7a53b0eae8f391a42dd2c380d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -21,8 +21,7 @@ allow uncrypt cache_file:dir rw_dir_perms;
 allow uncrypt cache_file:file create_file_perms;
 
 # Set a property to reboot the device.
-unix_socket_connect(uncrypt, property, init)
-allow uncrypt powerctl_prop:property_service set;
+set_prop(uncrypt, powerctl_prop)
 
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
diff --git a/vold.te b/vold.te
index 14e8a16bc087077f869bfe7550e671704d115463..b3b4ba80392d035a2853413e386588af9a7a1307 100644
--- a/vold.te
+++ b/vold.te
@@ -94,9 +94,6 @@ allow vold fscklogs:file create_file_perms;
 # Rules to support encrypted fs support.
 #
 
-# Set property.
-unix_socket_connect(vold, property, init)
-
 # Unmount and mount the fs.
 allow vold labeledfs:filesystem { mount unmount remount };
 
@@ -111,9 +108,9 @@ allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
 allow vold kernel:process setsched;
 
 # Property Service
-allow vold vold_prop:property_service set;
-allow vold powerctl_prop:property_service set;
-allow vold ctl_fuse_prop:property_service set;
+set_prop(vold, vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
 
 # ASEC
 allow vold asec_image_file:file create_file_perms;