diff --git a/app.te b/app.te
index 242e5ab67436eb06c7cb007f4c2c7ba1294eae8b..7da44450fb2e69dcf052d375bcce2524ec1b0b8a 100644
--- a/app.te
+++ b/app.te
@@ -132,7 +132,6 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
 # Superuser capabilities.
 # bluetooth requires net_admin.
 neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
 neverallow { appdomain -unconfineddomain } self:capability2 *;
 
 # Block device access.
diff --git a/bluetooth.te b/bluetooth.te
index 72263e3c5ebf8640da78eff9be8790c164db63f3..2403a5513d559d64dc4d286a2bc6685406cbc076 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,4 +1,50 @@
 # bluetooth subsystem
 type bluetooth, domain;
+permissive bluetooth;
 app_domain(bluetooth)
-unconfined_domain(bluetooth)
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+
+# bluetooth factory file accesses.
+r_dir_file(bluetooth, bluetooth_efs_file)
+
+# Device accesses.
+allow bluetooth { tun_device uhid_device hci_attach_dev input_device }:chr_file rw_file_perms;
+
+# Other domains that can create and use bluetooth sockets.
+# SELinux does not presently define a specific socket class for
+# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
+allow bluetoothdomain self:socket *;
+
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow bluetooth self:capability net_admin;
+
+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
+
+# tethering
+allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth efs_file:dir search;
+
+# Talk to init over the property socket.
+unix_socket_connect(bluetooth, property, init)
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# bluetooth file transfers
+allow bluetooth sdcard_internal:dir create_dir_perms;
+allow bluetooth sdcard_internal:file create_file_perms;
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin.
+neverallow bluetooth self:capability ~net_admin;