diff --git a/te_macros b/te_macros
index 9f885bf4fe1437416f6600207849349a162bb96b..c7c93aad89e0244e657165f86985765bce67c783 100644
--- a/te_macros
+++ b/te_macros
@@ -72,7 +72,9 @@ allow $1 $2:{ file lnk_file } r_file_perms;
 
 #####################################
 # unconfined_domain(domain)
-# Allow the specified domain to do anything.
+# Allow the specified domain to perform more privileged operations
+# than would be typically allowed. Please see the comments at the
+# top of unconfined.te.
 #
 define(`unconfined_domain', `
 typeattribute $1 mlstrustedsubject;
diff --git a/unconfined.te b/unconfined.te
index 9b1b992e58d6a9d279826b8354572133f200b45d..80f88b7bc6a129941bbef7d9eebc2f1e13b84779 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -1,3 +1,21 @@
+#######################################################
+#
+# This is the unconfined template. This template is the base policy
+# which is used by daemons and other privileged components of
+# Android.
+#
+# Historically, this template was called "unconfined" because it
+# allowed the domain to do anything it wanted. Over time,
+# this has changed, and will continue to change in the future.
+# The rules in this file will be removed when no remaining
+# unconfined domains require it, or when the rules contradict
+# Android security best practices. Domains which need rules not
+# provided by the unconfined template should add them directly to
+# the relevant policy.
+#
+# The use of this template is discouraged.
+######################################################
+
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~load_policy;
 allow unconfineddomain kernel:system *;