diff --git a/file.te b/file.te
index 4dbf1c895ab7701974a460d4265d6f22e3433089..484b8fe742ab05ffcbe83f1d08ffbb413bfe4e2d 100644
--- a/file.te
+++ b/file.te
@@ -68,7 +68,8 @@ type asec_apk_file, file_type, data_file_type;
 type asec_image_file, file_type, data_file_type;
 # /data/backup and /data/secure/backup
 type backup_data_file, file_type, data_file_type, mlstrustedobject;
-
+# For /data/security
+type security_file, file_type;
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
 # device policy
diff --git a/file_contexts b/file_contexts
index c47b44b5c2ec18586d2f12de2a86d8a692a2c0b7..0d2db388b72fb820a57670a19e110b39528df983 100644
--- a/file_contexts
+++ b/file_contexts
@@ -145,6 +145,7 @@
 /data(/.*)?		u:object_r:system_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
+/data/security(/.*)?	u:object_r:security_file:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
diff --git a/property.te b/property.te
index ed84c641fa817f0a1b391928d532b7ef2c0563d1..adebc6a3b850cb3f5d9d01d970cfabb019693141 100644
--- a/property.te
+++ b/property.te
@@ -8,3 +8,4 @@ type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
 type ctl_rildaemon_prop, property_type;
 type audio_prop, property_type;
+type security_prop, property_type;
diff --git a/property_contexts b/property_contexts
index d86bcb628a03ef3e32f63b55ca09e2e78f1de499..7b0ce043764147ea7da36c89deb54bdbdccadb71 100644
--- a/property_contexts
+++ b/property_contexts
@@ -33,7 +33,12 @@ persist.audio.          u:object_r:audio_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.security.       u:object_r:system_prop:s0
-selinux.                u:object_r:system_prop:s0
+
+# mmac persistent properties
+persist.mmac.			u:object_r:security_prop:s0
+
+# selinux non-persistent properties
+selinux.                u:object_r:security_prop:s0
 
 # default property context
 *                       u:object_r:default_prop:s0
@@ -46,6 +51,3 @@ crypto.                 u:object_r:vold_prop:s0
 ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
 ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0
-
-# mac middleware property
-persist.mac_enforcing_mode    u:object_r:system_prop:s0
diff --git a/system.te b/system.te
index 7e207c3ae85d18dfc5afcbde3bb0c800e9c9379f..a872516596adca972fa35df904212b5ff08070dc 100644
--- a/system.te
+++ b/system.te
@@ -24,31 +24,26 @@ allow system_app dalvikcache_data_file:file { write setattr };
 unix_socket_connect(system_app, keystore, keystore)
 
 # Read SELinux enforcing status.
+selinux_getenforce(system)
 selinux_getenforce(system_app)
 
+# Settings app reads sdcard for storage stats
+allow system_app sdcard:dir r_dir_perms;
+
 bool manage_selinux true;
 if (manage_selinux) {
-# Set SELinux enforcing status.
-selinux_setenforce(system_app)
-
-# Set SELinux booleans.
-selinux_setbool(system_app)
-
-# Read syslog to display AVC messages.
-allow system_app kernel:system syslog_read;
+selinux_manage_policy(system)
+selinux_manage_policy(system_app)
+access_kmsg(system)
+access_kmsg(system_app)
 }
 
 bool manage_mac true;
 if (manage_mac) {
-# Set properties via the init property service.
-unix_socket_connect(system_app, property, init)
-
-# Set the persist.mac_enforcing_mode property.
-allow system_app system_prop:property_service set;
-
-# Run logcat and read the logs for MAC denials.
-allow system_app system_file:file x_file_perms;
-allow system_app log_device:chr_file read;
+mmac_manage_policy(system)
+mmac_manage_policy(system_app)
+access_logcat(system)
+access_logcat(system_app)
 }
 
 #
diff --git a/te_macros b/te_macros
index 7883c40ec7177b5a1705a704db80af154c65ed4b..bda87d466cc5ccc1622550fb0c7c4d4aba65c093 100644
--- a/te_macros
+++ b/te_macros
@@ -224,3 +224,65 @@ allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
+
+#####################################
+# security_access_policy(domain)
+# Read only access to all policy files and
+# selinuxfs
+define(`security_access_policy', `
+allow $1 security_file:dir r_dir_perms;
+allow $1 security_file:file r_file_perms;
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file r_file_perms;
+allow $1 rootfs:dir r_dir_perms;
+allow $1 rootfs:file r_file_perms;
+allow $1 system_file:dir r_dir_perms;
+allow $1 system_file:file r_file_perms;
+')
+
+#####################################
+# selinux_manage_policy(domain)
+# Ability to manage policy files,
+# trigger runtime reload, change
+# enforcing mode, manipulate booleans
+# and access kernel logs.
+define(`selinux_manage_policy', `
+selinux_setenforce($1)
+selinux_setbool($1)
+security_access_policy($1)
+unix_socket_connect($1, property, init)
+allow $1 security_file:dir create_dir_perms;
+allow $1 security_file:file create_file_perms;
+allow $1 security_prop:property_service set;
+')
+
+#####################################
+# mmac_manage_policy(domain)
+# Ability to manage mmac policy files,
+# trigger runtime reload, change
+# mmac enforcing mode and access logcat.
+define(`mmac_manage_policy', `
+unix_socket_connect($1, property, init)
+allow $1 security_file:dir create_dir_perms;
+allow $1 security_file:file create_file_perms;
+allow $1 security_prop:property_service set;
+')
+
+#####################################
+# access_logcat(domain)
+# Ability to read from logcat logs
+# and execute the logcat command
+define(`access_logcat', `
+allow $1 log_device:chr_file read;
+allow $1 system_file:file x_file_perms;
+')
+
+#####################################
+# access_kmsg(domain)
+# Ability to read from kernel logs
+# and execute the klogctl syscall
+# in a non destructive manner. See
+# man 2 klogctl
+define(`access_kmsg', `
+allow $1 kernel:system syslog_read;
+')
\ No newline at end of file