diff --git a/app.te b/app.te
index 73fb68bd7bd37e3ec6bd58b410e98fe7e0bf6291..ffaae238603c994baa0fd029118d3a40eab46936 100644
--- a/app.te
+++ b/app.te
@@ -90,6 +90,14 @@ allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
 
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+  allow appdomain heapdump_data_file:file append;
+')
+
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
 # Everybody can read the xt_qtaguid resource tracking misc dev.
diff --git a/file.te b/file.te
index 25c3b7e29a7048472d411ec4fda1c6538c22e538..42cc8ac3f0ec21a427f590a0a39297c1b20b64ac 100644
--- a/file.te
+++ b/file.te
@@ -82,6 +82,8 @@ type gps_data_file, file_type, data_file_type;
 type property_data_file, file_type, data_file_type;
 # /data/bootchart
 type bootchart_data_file, file_type, data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
diff --git a/file_contexts b/file_contexts
index b66c2e07c274124bddc22d3bf6f4ae64b56e8078..fcb22e9e0c9b73ce44a488b85348a1840ff9fcd1 100644
--- a/file_contexts
+++ b/file_contexts
@@ -243,6 +243,7 @@
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
+/data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
diff --git a/system_server.te b/system_server.te
index 895bd44648d24a43a895b845f3604b3af7bba881..a0286287f698279832829751230a417601c0f7d6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -202,6 +202,10 @@ allow system_server backup_data_file:file create_file_perms;
 allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow system_server dalvikcache_profiles_data_file:file create_file_perms;
 
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
 # Manage /data/misc/adb.
 allow system_server adb_keys_file:dir create_dir_perms;
 allow system_server adb_keys_file:file create_file_perms;