diff --git a/system.te b/system.te
index 3dda4b4bd409883808f419fa64ee80401787b48d..f29367cefb5447854d70a4540dcf04c230f89bc7 100644
--- a/system.te
+++ b/system.te
@@ -1,8 +1,7 @@
-type system_app, domain;
-permissive system_app;
-app_domain(system_app)
-unconfined_domain(system_app)
-
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
 type system, domain;
 permissive system;
 unconfined_domain(system);
diff --git a/system_app.te b/system_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..61a18dbc76d81f0965dcf475bf114271172c0d8f
--- /dev/null
+++ b/system_app.te
@@ -0,0 +1,9 @@
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings.  These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+permissive system_app;
+app_domain(system_app)
+unconfined_domain(system_app)