diff --git a/attributes b/attributes
index af9af8e92354591c618ba763e150a0de5fb84b5a..f35c83fec3a783920881ba5658e233e42415814d 100644
--- a/attributes
+++ b/attributes
@@ -44,6 +44,13 @@ attribute property_type;
 
 # All service_manager types formerly given system_server_service type
 attribute tmp_system_server_service;
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
 
 # All types used for services managed by service_manager.
 attribute service_manager_type;
diff --git a/bluetooth.te b/bluetooth.te
index 7d81e098489ff6a4b2958d48ac84a35e978027b1..c670b176e161dbd04f1a64c179e416f87597bc7b 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -53,8 +53,9 @@ allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
 allow bluetooth surfaceflinger_service:service_manager find;
-allow bluetooth system_server_service:service_manager find;
 allow bluetooth tmp_system_server_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
 
 service_manager_local_audit_domain(bluetooth)
 auditallow bluetooth {
diff --git a/drmserver.te b/drmserver.te
index e52d679ff61b27dcb1c469fd99c9dd2fd64cdfec..418ce397a85b857ac517a5368d8ac42a26d3d16e 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -50,7 +50,6 @@ allow drmserver oemfs:dir search;
 allow drmserver oemfs:file r_file_perms;
 
 allow drmserver drmserver_service:service_manager { add find };
-allow drmserver system_server_service:service_manager find;
 allow drmserver tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(drmserver)
diff --git a/mediaserver.te b/mediaserver.te
index 23abb0fb32c87f86bea6abe2233802763eb03422..77b54a392049986a87825a45b4d882c0b22b9e7b 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,7 +80,6 @@ allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
-allow mediaserver system_server_service:service_manager find;
 allow mediaserver surfaceflinger_service:service_manager find;
 allow mediaserver tmp_system_server_service:service_manager find;
 
diff --git a/nfc.te b/nfc.te
index de482f442710f7a3cc03efa6cdc25de6a7bafbe6..34e822894c2133e1d413ab99394bdf3247827c08 100644
--- a/nfc.te
+++ b/nfc.te
@@ -23,8 +23,9 @@ allow nfc mediaserver_service:service_manager find;
 allow nfc nfc_service:service_manager { add find };
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
-allow nfc system_server_service:service_manager find;
 allow nfc tmp_system_server_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
 
 service_manager_local_audit_domain(nfc)
 auditallow nfc {
diff --git a/platform_app.te b/platform_app.te
index 92ac5adfda8c3f802b778a4d768f00d4e82450e2..d16ea1baedd57e8756da222c77ff9d5a38c4dce3 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -32,8 +32,9 @@ allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
-allow platform_app system_server_service:service_manager find;
 allow platform_app tmp_system_server_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(platform_app)
 auditallow platform_app {
diff --git a/radio.te b/radio.te
index 4ecf43ca77a23a2a8bacd8ee6009e51824bbb4ca..19a9aec019651683d8f7fb0e85bf58eb47307c00 100644
--- a/radio.te
+++ b/radio.te
@@ -34,8 +34,9 @@ allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
-allow radio system_server_service:service_manager find;
 allow radio tmp_system_server_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
 
 service_manager_local_audit_domain(radio)
 auditallow radio {
diff --git a/service.te b/service.te
index 156e534728b6e7649cd29df81884aaa45cc30b75..eafe163ca9053a6622a09b842f0073169985c26f 100644
--- a/service.te
+++ b/service.te
@@ -10,8 +10,6 @@ type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;
 
-type system_server_service,     service_manager_type;
-
 # system_server_services broken down
 type accessibility_service, tmp_system_server_service, service_manager_type;
 type account_service, tmp_system_server_service, service_manager_type;
@@ -27,31 +25,31 @@ type battery_service, tmp_system_server_service, service_manager_type;
 type bluetooth_manager_service, tmp_system_server_service, service_manager_type;
 type clipboard_service, tmp_system_server_service, service_manager_type;
 type IMms_service, tmp_system_server_service, service_manager_type;
-type IProxyService_service, tmp_system_server_service, service_manager_type;
+type IProxyService_service, system_api_service, system_server_service, service_manager_type;
 type commontime_management_service, tmp_system_server_service, service_manager_type;
 type connectivity_service, tmp_system_server_service, service_manager_type;
-type consumer_ir_service, tmp_system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
 type content_service, tmp_system_server_service, service_manager_type;
 type country_detector_service, tmp_system_server_service, service_manager_type;
-type cpuinfo_service, tmp_system_server_service, service_manager_type;
-type dbinfo_service, tmp_system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_policy_service, tmp_system_server_service, service_manager_type;
 type deviceidle_service, tmp_system_server_service, service_manager_type;
-type devicestoragemonitor_service, tmp_system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
 type diskstats_service, tmp_system_server_service, service_manager_type;
 type display_service, tmp_system_server_service, service_manager_type;
-type DockObserver_service, tmp_system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
 type dreams_service, tmp_system_server_service, service_manager_type;
 type dropbox_service, tmp_system_server_service, service_manager_type;
 type ethernet_service, tmp_system_server_service, service_manager_type;
 type fingerprint_service, tmp_system_server_service, service_manager_type;
-type gfxinfo_service, tmp_system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, tmp_system_server_service, service_manager_type;
 type hardware_service, tmp_system_server_service, service_manager_type;
 type hdmi_control_service, tmp_system_server_service, service_manager_type;
 type input_method_service, tmp_system_server_service, service_manager_type;
 type input_service, tmp_system_server_service, service_manager_type;
-type imms_service, tmp_system_server_service, service_manager_type;
+type imms_service, app_api_service, system_server_service, service_manager_type;
 type jobscheduler_service, tmp_system_server_service, service_manager_type;
 type launcherapps_service, tmp_system_server_service, service_manager_type;
 type location_service, tmp_system_server_service, service_manager_type;
@@ -59,8 +57,8 @@ type lock_settings_service, tmp_system_server_service, service_manager_type;
 type media_projection_service, tmp_system_server_service, service_manager_type;
 type media_router_service, tmp_system_server_service, service_manager_type;
 type media_session_service, tmp_system_server_service, service_manager_type;
-type meminfo_service, tmp_system_server_service, service_manager_type;
-type midi_service, tmp_system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, system_server_service, service_manager_type;
 type mount_service, tmp_system_server_service, service_manager_type;
 type netpolicy_service, tmp_system_server_service, service_manager_type;
 type netstats_service, tmp_system_server_service, service_manager_type;
@@ -76,7 +74,7 @@ type processinfo_service, tmp_system_server_service, service_manager_type;
 type procstats_service, tmp_system_server_service, service_manager_type;
 type restrictions_service, tmp_system_server_service, service_manager_type;
 type rttmanager_service, tmp_system_server_service, service_manager_type;
-type samplingprofiler_service, tmp_system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, tmp_system_server_service, service_manager_type;
 type search_service, tmp_system_server_service, service_manager_type;
 type sensorservice_service, tmp_system_server_service, service_manager_type;
@@ -86,8 +84,9 @@ type statusbar_service, tmp_system_server_service, service_manager_type;
 type task_service, tmp_system_server_service, service_manager_type;
 type registry_service, tmp_system_server_service, service_manager_type;
 type textservices_service, tmp_system_server_service, service_manager_type;
+type telecom_service, tmp_system_server_service, service_manager_type;
 type trust_service, tmp_system_server_service, service_manager_type;
-type tv_input_service, tmp_system_server_service, service_manager_type;
+type tv_input_service, app_api_service, system_server_service, service_manager_type;
 type uimode_service, tmp_system_server_service, service_manager_type;
 type updatelock_service, tmp_system_server_service, service_manager_type;
 type usagestats_service, tmp_system_server_service, service_manager_type;
@@ -98,6 +97,6 @@ type voiceinteraction_service, tmp_system_server_service, service_manager_type;
 type wallpaper_service, tmp_system_server_service, service_manager_type;
 type webviewupdate_service, tmp_system_server_service, service_manager_type;
 type wifip2p_service, tmp_system_server_service, service_manager_type;
-type wifiscanner_service, tmp_system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, tmp_system_server_service, service_manager_type;
 type window_service, tmp_system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 223f99f57a39a8068ae8540b2871ba843d8febf6..322f34934a589fb0f478c1735cedd9ba70af9ad1 100644
--- a/service_contexts
+++ b/service_contexts
@@ -106,7 +106,7 @@ sip                                       u:object_r:radio_service:s0
 statusbar                                 u:object_r:statusbar_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 task                                      u:object_r:task_service:s0
-telecom                                   u:object_r:system_server_service:s0
+telecom                                   u:object_r:telecom_service:s0
 telephony.registry                        u:object_r:registry_service:s0
 textservices                              u:object_r:textservices_service:s0
 trust                                     u:object_r:trust_service:s0
diff --git a/shared_relro.te b/shared_relro.te
index 1a7e2d030b3297b3add68edfa8dfd7f64e2d6bdf..c97ab5ca14fa8656506ce8e43c12f41a379caf81 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -10,7 +10,6 @@ allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;
 
 # Needs to contact the "webviewupdate" and "activity" services
-allow shared_relro system_server_service:service_manager find;
 allow shared_relro tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(shared_relro)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index a6ba5d966559d287cb5602e734b419f615592ef9..007be9624c95ae6b6ee1554c86ffd790bc79d3d2 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -61,7 +61,6 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 # media.player service
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
-allow surfaceflinger system_server_service:service_manager find;
 allow surfaceflinger tmp_system_server_service:service_manager find;
 
 service_manager_local_audit_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 6740dcda6977f683cea8ae623462a0482baa708d..6e91dd0ea20ba58a095bf913d9dd5c6565af5b72 100644
--- a/system_app.te
+++ b/system_app.te
@@ -53,8 +53,9 @@ allow system_app nfc_service:service_manager find;
 allow system_app radio_service:service_manager find;
 allow system_app surfaceflinger_service:service_manager find;
 allow system_app system_app_service:service_manager add;
-allow system_app system_server_service:service_manager find;
 allow system_app tmp_system_server_service:service_manager find;
+allow system_app app_api_service:service_manager find;
+allow system_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(system_app)
 auditallow system_app {
diff --git a/untrusted_app.te b/untrusted_app.te
index a93885a7876b3f16eff0c82d4aa30beecbaa291e..b090fe468704b5d5b6548cc5ef7d72007625cf76 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -81,8 +81,11 @@ allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
-allow untrusted_app system_server_service:service_manager find;
 allow untrusted_app tmp_system_server_service:service_manager find;
+allow untrusted_app app_api_service:service_manager find;
+
+# TODO: remove this once priv-apps are no longer running in untrusted_app
+allow untrusted_app system_api_service:service_manager find;
 
 service_manager_local_audit_domain(untrusted_app)
 auditallow untrusted_app {