diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index c64c866182a6999b6d1ddbf1fad63062e634b343..1f2d82348042b17d0b5cc494899193b0608523a9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -33,7 +33,11 @@
     thermalserviced_tmpfs
     timezone_service
     tombstoned_java_trace_socket
-    vold_service))
+    vold_service
+    wpantund
+    wpantund_exec
+    wpantund_service
+    wpantund_tmpfs))
 
 ;; private_objects - a collection of types that were labeled differently in
 ;;     older policy, but that should not remain accessible to vendor policy.
diff --git a/private/file_contexts b/private/file_contexts
index ffc601cc5cff7489d7ac6bac2e20bf014a33eac8..0752a3daa0afaf9f14a233ede8a059187978f5f7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -260,6 +260,7 @@
 /system/bin/thermalserviced      u:object_r:thermalserviced_exec:s0
 /system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
 /system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
+/system/bin/wpantund             u:object_r:wpantund_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 109587e2875d6dcb50b9748c085aef0f74b70c33..62bc129eb92b01ff176d73bd599406ac7dd4526b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -180,6 +180,7 @@ binder_call(system_server, incidentd)
 binder_call(system_server, netd)
 binder_call(system_server, vold)
 binder_call(system_server, wificond)
+binder_call(system_server, wpantund)
 binder_service(system_server)
 
 # Use HALs
diff --git a/private/wpantund.te b/private/wpantund.te
new file mode 100644
index 0000000000000000000000000000000000000000..e91662cb7f8712267d1843f0c8711925f698ca04
--- /dev/null
+++ b/private/wpantund.te
@@ -0,0 +1,3 @@
+typeattribute wpantund coredomain;
+
+init_daemon_domain(wpantund)
diff --git a/public/service.te b/public/service.te
index 068ea4e78b09b3cf8262cd0a891e72e33daaf6ed..fe26020d9d3b55386c616c61f64fbcef074feda2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -150,3 +150,4 @@ type wifi_service, app_api_service, system_server_service, service_manager_type;
 type wificond_service, service_manager_type;
 type wifiaware_service, app_api_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
+type wpantund_service, system_api_service, service_manager_type;
diff --git a/public/wpantund.te b/public/wpantund.te
new file mode 100644
index 0000000000000000000000000000000000000000..2993e6d6e8b832c344d2600de8a8b8f5c2a11d6b
--- /dev/null
+++ b/public/wpantund.te
@@ -0,0 +1,22 @@
+type wpantund, domain;
+type wpantund_exec, exec_type, file_type;
+
+hal_client_domain(wpantund, hal_lowpan)
+net_domain(wpantund)
+
+binder_use(wpantund)
+binder_call(wpantund, system_server)
+
+# wpantund needs to be able to check in with the lowpan_service
+allow wpantund lowpan_service:service_manager find;
+
+# create sockets to set interfaces up and down, add multicast groups, etc.
+allow wpantund self:udp_socket create_socket_perms;
+
+# setting interface state up/down and changing MTU are privileged ioctls
+allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+# Allow us to bring up a TUN network interface.
+allow wpantund tun_device:chr_file rw_file_perms;
+allow wpantund self:capability { net_admin net_raw };
+allow wpantund self:tun_socket create;