diff --git a/private/system_app.te b/private/system_app.te
index f6b03053fca91363cdd8e493b04f9852e3d18d96..367df1f245831516992639becf8ed9f8b9a25a65 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -1 +1,80 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings.  These are not as privileged as the system
+### server.
+###
+
+typeattribute system_app domain_deprecated;
+
 app_domain(system_app)
+net_domain(system_app)
+binder_service(system_app)
+
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# Read and write to /data/misc/user.
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
+
+# Access to vold-mounted storage for measuring free space
+allow system_app mnt_media_rw_file:dir search;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
+# Write to properties
+set_prop(system_app, bluetooth_prop)
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, system_radio_prop)
+set_prop(system_app, log_tag_prop)
+userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
+
+# ctl interface
+set_prop(system_app, ctl_default_prop)
+set_prop(system_app, ctl_bugreport_prop)
+
+# Create /data/anr/traces.txt.
+allow system_app anr_data_file:dir ra_dir_perms;
+allow system_app anr_data_file:file create_file_perms;
+
+# Settings need to access app name and icon from asec
+allow system_app asec_apk_file:file r_file_perms;
+
+allow system_app servicemanager:service_manager list;
+# TODO: scope this down? Too broad?
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
+
+allow system_app keystore:keystore_key {
+    get_state
+    get
+    insert
+    delete
+    exist
+    list
+    reset
+    password
+    lock
+    unlock
+    is_empty
+    sign
+    verify
+    grant
+    duplicate
+    clear_uid
+    user_changed
+};
+
+# /sys access
+r_dir_file(system_app, sysfs_type)
+
+control_logd(system_app)
diff --git a/public/system_app.te b/public/system_app.te
index 9eddf65880b5ea54df0c6aa6dbe82c8e9cfa173f..023058ee0f0f2220e94101cdbe92fafeff4bfbfd 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -1,78 +1,7 @@
-#
-# Apps that run with the system UID, e.g. com.android.system.ui,
-# com.android.settings.  These are not as privileged as the system
-# server.
-#
-type system_app, domain, domain_deprecated;
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings.  These are not as privileged as the system
+### server.
+###
 
-net_domain(system_app)
-binder_service(system_app)
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to vold-mounted storage for measuring free space
-allow system_app mnt_media_rw_file:dir search;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Read icon file.
-allow system_app icon_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, system_radio_prop)
-set_prop(system_app, log_tag_prop)
-userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app system_radio_prop:property_service set;
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-allow system_app servicemanager:service_manager list;
-# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
-
-allow system_app keystore:keystore_key {
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	user_changed
-};
-
-# /sys access
-r_dir_file(system_app, sysfs_type)
-
-control_logd(system_app)
+type system_app, domain;