diff --git a/app.te b/app.te
index ba99e55b029019f58eb6020165991145ded534ec..81c6a53434425277e9ad2f7cd15f17598f2062e6 100644
--- a/app.te
+++ b/app.te
@@ -109,6 +109,11 @@ allow appdomain media_rw_data_file:file { read getattr };
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow appdomain radio_data_file:file { read write getattr };
 
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app system_app_data_file:file { read write getattr };
+
 # Access SDcard.
 allow appdomain sdcard_type:dir create_dir_perms;
 allow appdomain sdcard_type:file create_file_perms;
diff --git a/file.te b/file.te
index f42585a111c9dd614e69e79506e625c2622001f1..b1a1e24e9c9ed27bdb8c3df084825cc1007add79 100644
--- a/file.te
+++ b/file.te
@@ -81,6 +81,8 @@ type zoneinfo_data_file, file_type, data_file_type;
 typealias audio_data_file alias audio_firmware_file;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type;
 # Compatibility with type name used in Android 4.3 and 4.4.
 typealias app_data_file alias platform_app_data_file;
 typealias app_data_file alias download_file;
diff --git a/installd.te b/installd.te
index 9712881f8252190bc193cc9f95024042887b4511..5ff68f3de462ef6690debbf853c5379f1c228571 100644
--- a/installd.te
+++ b/installd.te
@@ -34,8 +34,10 @@ allow installd shell_data_file:lnk_file { create setattr };
 # restorecon /data/data
 allow installd unlabeled:dir relabelfrom;
 allow installd unlabeled:notdevfile_class_set relabelfrom;
-allow installd system_data_file:dir { relabelfrom relabelto };
-allow installd system_data_file:notdevfile_class_set { relabelfrom relabelto };
+allow installd system_data_file:dir relabelfrom;
+allow installd system_data_file:notdevfile_class_set relabelfrom;
+allow installd system_app_data_file:dir { relabelfrom relabelto };
+allow installd system_app_data_file:notdevfile_class_set { relabelfrom relabelto };
 allow installd bluetooth_data_file:dir { relabelfrom relabelto };
 allow installd bluetooth_data_file:notdevfile_class_set { relabelfrom relabelto };
 allow installd nfc_data_file:dir { relabelfrom relabelto };
diff --git a/seapp_contexts b/seapp_contexts
index 7b217fbf04cf3c590ee75b32695ac645c1b56766..91cfe72af6a89cc89a7af2d491a81f4338a3fa18 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -35,7 +35,7 @@
 # level may be used to specify a fixed level for any UID. 
 #
 isSystemServer=true domain=system_server
-user=system domain=system_app type=system_data_file
+user=system domain=system_app type=system_app_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
diff --git a/system_app.te b/system_app.te
index 25da88a39505f2ce24f707c8f5fefded098ac805..b03ccb422ffad19b6839b6036669a79943cdbb5e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -9,10 +9,9 @@ app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
 
-# Read and write system data files.
-# May want to split into separate types.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:file create_file_perms;
 
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;