diff --git a/seapp_contexts b/seapp_contexts
index 26d0c8f3780c6d5c66b054bfb91a457b21f1075f..2d00dda2e2feeab3961fb5a1dfd389b93a7e5635 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -1,5 +1,6 @@
 # Input selectors:
 #	isSystemServer (boolean)
+#	isOwner (boolean)
 #	user (string)
 #	seinfo (string)
 #	name (string)
@@ -7,6 +8,9 @@
 #	sebool (string)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
+# isOwner=true will only match for the owner/primary user.
+# isOwner=false will only match for secondary users.
+# If unspecified, the entry can match either case.
 # An unspecified string selector will match any value.
 # A user string selector that ends in * will perform a prefix match.
 # user=_app will match any regular app UID.
@@ -16,13 +20,14 @@
 #
 # Precedence rules:
 # 	  (1) isSystemServer=true before isSystemServer=false.
-#	  (2) Specified user= string before unspecified user= string.
-#	  (3) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (4) Longer user= prefix before shorter user= prefix.
-#	  (5) Specified seinfo= string before unspecified seinfo= string.
-#	  (6) Specified name= string before unspecified name= string.
-#	  (7) Specified path= string before unspecified path= string.
-#	  (8) Specified sebool= string before unspecified sebool= string.
+# 	  (2) Specified isOwner= before unspecified isOwner= boolean.
+#	  (3) Specified user= string before unspecified user= string.
+#	  (4) Fixed user= string before user= prefix (i.e. ending in *).
+#	  (5) Longer user= prefix before shorter user= prefix.
+#	  (6) Specified seinfo= string before unspecified seinfo= string.
+#	  (7) Specified name= string before unspecified name= string.
+#	  (8) Specified path= string before unspecified path= string.
+#	  (9) Specified sebool= string before unspecified sebool= string.
 #
 # Outputs:
 #	domain (string)
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 39fe77e18c94ddcfc1958a9f467163c40ee1940b..af780a359927f7962e46e9a9357bea09286b7eca 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -157,6 +157,7 @@ static policy_info pol = {
 key_map rules[] = {
                 /*Inputs*/
                 { .name = "isSystemServer", .type = dt_bool,   .dir = dir_in,  .data = NULL },
+                { .name = "isOwner",        .type = dt_bool,   .dir = dir_in,  .data = NULL },
                 { .name = "user",           .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "seinfo",         .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "name",           .type = dt_string, .dir = dir_in,  .data = NULL },