diff --git a/app.te b/app.te
index 0866e95488cfd12f4619cf9b270ffd8db2c38e57..df0f5df35d72a42e7f5dfbd1162621d954024947 100644
--- a/app.te
+++ b/app.te
@@ -8,6 +8,7 @@
 #
 type platform_app, domain;
 app_domain(platform_app)
+platform_app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
@@ -30,6 +31,7 @@ allow platform_app apk_tmp_file:file rw_file_perms;
 # Apps signed with the media key.
 type media_app, domain;
 app_domain(media_app)
+platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
 # Read logs.
@@ -45,9 +47,11 @@ allow media_app sdcard:file create_file_perms;
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow media_app qtaguid_proc:file rw_file_perms;
 allow media_app qtaguid_device:chr_file r_file_perms;
+
 # Apps signed with the shared key.
 type shared_app, domain;
 app_domain(shared_app)
+platform_app_domain(shared_app)
 # Access the network.
 net_domain(shared_app)
 # Access bluetooth.
@@ -58,6 +62,7 @@ allow shared_app log_device:chr_file read;
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
 app_domain(release_app)
+platform_app_domain(release_app)
 # Access the network.
 net_domain(release_app)
 # Access bluetooth.
@@ -70,9 +75,18 @@ allow release_app log_device:chr_file read;
 # A domain for com.android.browser.
 type browser_app, domain;
 app_domain(browser_app)
+platform_app_domain(browser_app)
 # Access the network.
 net_domain(browser_app)
 
+#
+# Rules for platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+
 #
 # Untrusted apps.
 #
@@ -132,6 +146,9 @@ allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
+# Read/write data files created by the platform apps.
+allow appdomain platform_app_data_file:file rw_file_perms;
+
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
 
diff --git a/attributes b/attributes
index 1016ec65dc598a47ef4f782099d49868e6b48081..ef4a1708e75ba011e9e35c8b78927010a40b029a 100644
--- a/attributes
+++ b/attributes
@@ -58,3 +58,6 @@ attribute bluetoothdomain;
 
 # All domains used for binder service domains.
 attribute binderservicedomain;
+
+# Allow domains used for platform (signed by build key) apps.
+attribute platformappdomain;
diff --git a/file.te b/file.te
index 9af8ca52653de448e0f365c4e1b0ae8dd2f115fb..132f9ea7952433709e9944bf325c2900ff9ec024 100644
--- a/file.te
+++ b/file.te
@@ -51,6 +51,7 @@ type nfc_data_file, file_type, data_file_type;
 type camera_calibration_file, file_type, data_file_type;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
diff --git a/seapp_contexts b/seapp_contexts
index 502206a7b777d14faf5f37ada38b2417adb22700..088937bf6ce5b5266e3704cb5caaa50d4de7be58 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -33,8 +33,8 @@ user=system domain=system_app type=system_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=app_* domain=untrusted_app type=app_data_file levelFromUid=true
-user=app_* seinfo=platform domain=platform_app levelFromUid=true
-user=app_* seinfo=shared domain=shared_app levelFromUid=true
-user=app_* seinfo=media domain=media_app levelFromUid=true
-user=app_* seinfo=release domain=release_app levelFromUid=true
-user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
+user=app_* seinfo=platform domain=platform_app type=platform_app_data_file
+user=app_* seinfo=shared domain=shared_app type=platform_app_data_file
+user=app_* seinfo=media domain=media_app type=platform_app_data_file
+user=app_* seinfo=release domain=release_app type=platform_app_data_file
+user=app_* seinfo=release name=com.android.browser domain=browser_app type=platform_app_data_file
diff --git a/te_macros b/te_macros
index 9146e220b074a77f1547b58dedf227b3623effef..6354496ad7abf546efde2a96e850fcaae1717502 100644
--- a/te_macros
+++ b/te_macros
@@ -108,6 +108,14 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 ')
 
+#####################################
+# platform_app_domain(domain)
+# Allow permissions specific to platform apps.
+define(`platform_app_domain', `
+typeattribute $1 platformappdomain;
+typeattribute $1 mlstrustedsubject;
+')
+
 #####################################
 # net_domain(domain)
 # Allow a base set of permissions required for network access.