diff --git a/private/file_contexts b/private/file_contexts
index ccb441a74e556d5cd4ed24110d8ffb671fb788bd..ddaa5aeea7286376ce0459279210341bdbb5f93a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -202,6 +202,7 @@
 /system/xbin/su		u:object_r:su_exec:s0
 /system/xbin/perfprofd  u:object_r:perfprofd_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
+/system/bin/healthd     u:object_r:healthd_exec:s0
 /system/bin/hostapd     u:object_r:hostapd_exec:s0
 /system/bin/clatd	u:object_r:clatd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
diff --git a/private/healthd.te b/private/healthd.te
new file mode 100644
index 0000000000000000000000000000000000000000..0214c59f819b7174ff8454177881740505c564cd
--- /dev/null
+++ b/private/healthd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(healthd)
diff --git a/private/init.te b/private/init.te
index c2354548b093d446c64dd53cc36219d4a6b48d5c..c0e3d5f7e0359ba82e72426fea2fac9fa0305167 100644
--- a/private/init.te
+++ b/private/init.te
@@ -4,7 +4,7 @@ tmpfs_domain(init)
 
 # Transitions to seclabel processes in init.rc
 domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, charger)
 domain_trans(init, rootfs, slideshow)
 recovery_only(`
   domain_trans(init, rootfs, recovery)
diff --git a/public/charger.te b/public/charger.te
new file mode 100644
index 0000000000000000000000000000000000000000..4b20d1dd521477fac79936bd75cd104a9b3827fa
--- /dev/null
+++ b/public/charger.te
@@ -0,0 +1,41 @@
+# charger seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type charger, domain;
+
+# Write to /dev/kmsg
+allow charger kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger, sysfs_type)
+r_dir_file(charger, rootfs)
+r_dir_file(charger, cgroup)
+
+allow charger self:capability { sys_tty_config };
+allow charger self:capability sys_boot;
+
+wakelock_use(charger)
+
+allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Write to /sys/power/state
+# TODO:  Split into a separate type?
+allow charger sysfs:file write;
+
+allow charger sysfs_batteryinfo:file r_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger pstorefs:dir r_dir_perms;
+allow charger pstorefs:file r_file_perms;
+
+allow charger graphics_device:dir r_dir_perms;
+allow charger graphics_device:chr_file rw_file_perms;
+allow charger input_device:dir r_dir_perms;
+allow charger input_device:chr_file r_file_perms;
+allow charger tty_device:chr_file rw_file_perms;
+allow charger proc_sysrq:file rw_file_perms;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
diff --git a/public/healthd.te b/public/healthd.te
index 0bf92c88820f8433df47f3b0014c09dd672bb505..cbc5c46a6f298e675a3a29ccdc19ef7741377ef9 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -1,6 +1,6 @@
-# healthd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type healthd, domain, domain_deprecated;
+# healthd - battery/charger monitoring service daemon
+type healthd, domain;
+type healthd_exec, exec_type, file_type;
 
 # Write to /dev/kmsg
 allow healthd kmsg_device:chr_file rw_file_perms;
@@ -8,48 +8,20 @@ allow healthd kmsg_device:chr_file rw_file_perms;
 # Read access to pseudo filesystems.
 r_dir_file(healthd, sysfs_type)
 r_dir_file(healthd, rootfs)
+r_dir_file(healthd, cgroup)
 
 allow healthd self:capability { net_admin sys_tty_config };
+
 wakelock_use(healthd)
+
 allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
 binder_use(healthd)
 binder_service(healthd)
 binder_call(healthd, system_server)
 
-# Write to state file.
-# TODO:  Split into a separate type?
-allow healthd sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
 allow healthd sysfs_batteryinfo:file r_file_perms;
-
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, sysfs_type)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd self:process execmem;
-allow healthd proc_sysrq:file rw_file_perms;
-allow healthd self:capability sys_boot;
-
 allow healthd batteryproperties_service:service_manager { add find };
 
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
+# healthd can fake the battery existense if ro.boot.fake_battery is set
+get_prop(healthd, system_prop)