diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ab4a49a7b512ec008bb9f0ddb4a6de8b4ecf8e09..77d1b4fc18dc96e12f1b75c437abb9326195c28d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -53,6 +53,8 @@
     timezone_service
     tombstoned_java_trace_socket
     tombstone_wifi_data_file
+    traceur_app
+    traceur_app_tmpfs
     update_engine_log_data_file
     vendor_init
     vold_prepare_subdirs
diff --git a/private/domain.te b/private/domain.te
index ff7f1b3a7743bcdb1ace817345966f4c23ca686f..1fd75bc78f4a90a37f7eebd6b787b08c8c0000b6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -72,6 +72,7 @@ full_treble_only(`
     -init
     userdebug_or_eng(`-perfprofd')
     -shell
+    userdebug_or_eng(`-traceur_app')
     -vendor_init
   } debugfs_tracing:file no_rw_file_perms;
 
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a97fc70552313b4c51a14a48a444978d87b9e05b..76f299866425dc70f0e769fcdf1fc13fcea36ea0 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -95,6 +95,7 @@ neverallow user=shell domain=((?!shell).)*
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
 isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/statsd.te b/private/statsd.te
index 82691d3a3fd8e8373e49cac6879f8a3a46927482..617021af7d847c362f82e26cee8f5b6e3ecc0fe9 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -51,7 +51,7 @@ binder_call(statsd, stats)
 ### neverallow rules
 ###
 
-# Only system_server, system_app, and stats command can find the stats service.
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
 neverallow {
   domain
   -dumpstate
@@ -60,6 +60,7 @@ neverallow {
   -statsd
   -system_app
   -system_server
+  userdebug_or_eng(`-traceur_app')
 } stats_service:service_manager find;
 
 # Only statsd and the other root services in limited circumstances.
diff --git a/private/traceur_app.te b/private/traceur_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..194a28fd470df9b8d8cf3c919f2d3968e148bf02
--- /dev/null
+++ b/private/traceur_app.te
@@ -0,0 +1,7 @@
+typeattribute traceur_app coredomain;
+
+userdebug_or_eng(`
+  app_domain(traceur_app);
+  allow traceur_app debugfs_tracing:file r_file_perms;
+  allow traceur_app atrace_exec:file rx_file_perms;
+')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5dc6894cafe9c08029324ab142ff3d9be66ef4fd..dd7c1abd0ad6cd696777ee7111339fbb1ca0de69 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -272,8 +272,14 @@ allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
 # accessing sensitive /proc/PID files, never for using ptrace attach.
 neverallow dumpstate *:process ptrace;
 
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+  domain
+  -system_server
+  -shell
+  userdebug_or_eng(`-traceur_app')
+  -dumpstate
+} dumpstate_service:service_manager find;
 
 # Dumpstate should not be writing to any generically labeled sysfs files.
 # Create a specific label for the file type
diff --git a/public/traceur_app.te b/public/traceur_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..ab08c62602bb4330c8aaf8d7c3a5f45a63adddef
--- /dev/null
+++ b/public/traceur_app.te
@@ -0,0 +1,21 @@
+type traceur_app, domain;
+
+userdebug_or_eng(`
+  allow traceur_app servicemanager:service_manager list;
+  allow traceur_app hwservicemanager:hwservice_manager list;
+
+  set_prop(traceur_app, debug_prop)
+
+  allow traceur_app {
+    service_manager_type
+    -gatekeeper_service
+    -incident_service
+    -installd_service
+    -netd_service
+    -virtual_touchpad_service
+    -vold_service
+    -vr_hwc_service
+  }:service_manager find;
+
+  dontaudit traceur_app domain:binder call;
+')