diff --git a/app.te b/app.te
index 1540f08b8b880cc7284fdfa581e6ba835059abe2..22a393e24e01501afbfca59011c4bd8d07abb733 100644
--- a/app.te
+++ b/app.te
@@ -26,6 +26,9 @@ allow platform_app shell_data_file:lnk_file read;
 allow platform_app apk_tmp_file:file rw_file_perms;
 # Read /dev/xt_qtaguid
 allow platform_app qtaguid_device:chr_file r_file_perms;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
@@ -53,6 +56,8 @@ net_domain(shared_app)
 bluetooth_domain(shared_app)
 # Read logs.
 allow shared_app log_device:chr_file read;
+# ASEC
+r_dir_file(shared_app, asec_apk_file);
 
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
diff --git a/domain.te b/domain.te
index 47ad05a3a7314debb1ec20fe8292d28b898494ce..96f971c845372591e3dc79bbe935be07d024ac80 100644
--- a/domain.te
+++ b/domain.te
@@ -54,6 +54,7 @@ allow domain urandom_device:chr_file r_file_perms;
 
 # Filesystem accesses.
 allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
 
 # System file accesses.
 allow domain system_file:dir r_dir_perms;
diff --git a/file.te b/file.te
index 451ad1dad219f4a45e0f68bda765af87582e40ee..70100a955bf80eaa6e43d4a376a4fa08cc5612b8 100644
--- a/file.te
+++ b/file.te
@@ -32,7 +32,6 @@ type anr_data_file, file_type, data_file_type, mlstrustedobject;
 type tombstone_data_file, file_type, data_file_type;
 # /data/app - user-installed apps
 type apk_data_file, file_type, data_file_type;
-type asec_data_file, file_type, data_file_type;
 type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
 # /data/dalvik-cache
 type dalvikcache_data_file, file_type, data_file_type;
@@ -59,6 +58,10 @@ type cache_file, file_type, mlstrustedobject;
 type efs_file, file_type;
 # Type for wallpaper file.
 type wallpaper_file, file_type, mlstrustedobject;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type;
 
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
diff --git a/file_contexts b/file_contexts
index 8876bfe961006813891c671f9a13232f74bbfa49..713da7991bf243c1fcf53e58a0b72303847ea723 100644
--- a/file_contexts
+++ b/file_contexts
@@ -152,4 +152,5 @@
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
 #############################
 # asec containers
-/mnt/asec(/.*)?         u:object_r:asec_data_file:s0
+/mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
+/data/app-asec(/.*)?    u:object_r:asec_image_file:s0
diff --git a/installd.te b/installd.te
index 2a87eb7b1ab62c3288d5248f12ae83f90cad0e48..553127c005a3b7623f240037321614a814b6c69c 100644
--- a/installd.te
+++ b/installd.te
@@ -20,3 +20,7 @@ dontaudit installd self:capability sys_admin;
 selinux_check_context(installd)
 # Read /seapp_contexts, presently on the rootfs.
 allow installd rootfs:file r_file_perms;
+# ASEC
+allow installd platform_app_data_file:lnk_file { create setattr };
+allow installd app_data_file:lnk_file { create setattr };
+allow installd asec_apk_file:file r_file_perms;
diff --git a/vold.te b/vold.te
index 86dbbb7a796f07da9687bd1e494a9e8b54af3c34..60d6a37296f1a2c8c3c343d0c441b8f98bdaf607 100644
--- a/vold.te
+++ b/vold.te
@@ -16,7 +16,7 @@ allow vold sdcard:dir create_dir_perms;
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin };
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket *;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
@@ -39,7 +39,7 @@ allow vold sysfs:file rw_file_perms;
 unix_socket_connect(vold, property, init)
 
 # Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount };
+allow vold labeledfs:filesystem { mount unmount remount };
 
 # Access /efs/userdata_footer.
 # XXX Split into a separate type?
@@ -53,7 +53,14 @@ allow vold kernel:system module_request;
 allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { open read write create add_name mounton };
+allow vold system_data_file:dir { rw_dir_perms mounton };
 
 # Property Service
 allow vold vold_prop:property_service set;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold rootfs:file r_file_perms;
+allow vold asec_apk_file:dir { rw_dir_perms setattr };
+allow vold asec_apk_file:file { r_file_perms setattr };