diff --git a/netd.te b/netd.te
index 3c612a4beb58ec9b7a6b7eb4dd95d2b5caf0269f..98a1a2a3c1014c34c7835392b727d75767247d00 100644
--- a/netd.te
+++ b/netd.te
@@ -55,10 +55,19 @@ allow netd clatd:process signal;
 
 set_prop(netd, ctl_mdnsd_prop)
 
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+binder_service(netd)
+allow netd netd_service:service_manager add;
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+
 # Allow netd to operate on sockets that are passed to it.
 allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
 allow netd netdomain:fd use;
 
+
 ###
 ### Neverallow rules
 ###
diff --git a/service.te b/service.te
index 63636f65392c569af96a07d53c4cdf52a00d86d9..70d50930031f503b1c4dc52ffcc92edc0aa998cb 100644
--- a/service.te
+++ b/service.te
@@ -12,6 +12,7 @@ type mediaserver_service,       service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
+type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
diff --git a/service_contexts b/service_contexts
index e23f72bb3b29bbf91d7c855174c4fc09cef007ca..d3c7d72edaba164fbbb2f06efd6719542b8290e3 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,6 +2,7 @@ accessibility                             u:object_r:accessibility_service:s0
 account                                   u:object_r:account_service:s0
 activity                                  u:object_r:activity_service:s0
 alarm                                     u:object_r:alarm_service:s0
+android.net.INetd                         u:object_r:netd_service:s0
 android.os.UpdateEngineService            u:object_r:update_engine_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
diff --git a/system_server.te b/system_server.te
index 1bbe9efb69cdfa567563b54b364df619ba618dbb..fc3694955e2d3f7c4ddecfa2b9bcfd84a98fac25 100644
--- a/system_server.te
+++ b/system_server.te
@@ -136,6 +136,7 @@ binder_call(system_server, gatekeeperd)
 binder_call(system_server, fingerprintd)
 binder_call(system_server, { appdomain autoplay_app })
 binder_call(system_server, dumpstate)
+binder_call(system_server, netd)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
@@ -397,6 +398,7 @@ allow system_server mediaserver_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };