diff --git a/private/seapp_contexts b/private/seapp_contexts
index 6efd59f769ec6cb16b84a901b2705e9cb38e7479..0333d996c52268a666c19388c3c4149c80bbcd5d 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -104,6 +104,7 @@ user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
diff --git a/private/system_server.te b/private/system_server.te
index 752dee7e02b3fa9fdf598351fad6412b1689cd3b..6e6212ebc8fc6ecd5fba52e694993dbf456ace76 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -36,6 +36,7 @@ allow system_server zygote:process sigchld;
 # May kill zygote on crashes.
 allow system_server zygote:process sigkill;
 allow system_server crash_dump:process sigkill;
+allow system_server webview_zygote:process sigkill;
 
 # Read /system/bin/app_process.
 allow system_server zygote_exec:file r_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 9a3a7a35d129f60b5df398e4c97174ea5e983246..e0921127b0a6232c606134f0a3e747678f393320 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -61,6 +61,15 @@ selinux_check_access(webview_zygote)
 # Directory listing in /system.
 allow webview_zygote system_file:dir r_dir_perms;
 
+# Read system properties managed by zygote.
+allow webview_zygote zygote_tmpfs:file read;
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
+
 #####
 ##### Neverallow
 #####
@@ -75,9 +84,10 @@ neverallow webview_zygote { domain -crash_dump }:process transition;
 # Having said that, exec() above is not allowed.
 neverallow webview_zygote *:file execute_no_trans;
 
-# The only way to enter this domain is for init to exec() us.
+# The only way to enter this domain is for init to exec() us or the zygote
+# to fork a new webview_zygote child.
 neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
+neverallow { domain -zygote } webview_zygote:process dyntransition;
 
 # Disallow write access to properties.
 neverallow webview_zygote property_socket:sock_file write;
diff --git a/private/zygote.te b/private/zygote.te
index b59259106ba11bd1cd3ef50d81ca9f639e06eb5c..43364ab39039ea75bb004b88f22cb315954d3bbf 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -16,6 +16,7 @@ allow zygote self:global_capability_class_set setpcap;
 allow zygote self:process setcurrent;
 allow zygote system_server:process dyntransition;
 allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
 
 # Allow zygote to read app /proc/pid dirs (b/10455872).
 allow zygote appdomain:dir { getattr search };
@@ -121,8 +122,8 @@ get_prop(zygote, exported_overlay_prop)
 # written on appdomain are applied to all app processes.
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+# with appdomain plus system_server and webview_zygote.
+neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
 
 # Zygote should never execute anything from /data except for /data/dalvik-cache files.
 neverallow zygote {
diff --git a/public/domain.te b/public/domain.te
index 13e4ba9ef2e31344689caffecbf0ebeeba9fe0f8..11c743387c397eb271383171f898ef32fa0bd05f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -903,6 +903,7 @@ full_treble_only(`
         -init
         -installd
         -system_server
+        -webview_zygote
         -zygote
     } vendor_overlay_file:dir { getattr open read search };
 
@@ -913,6 +914,7 @@ full_treble_only(`
         -init
         -installd
         -system_server
+        -webview_zygote
         -zygote
     } vendor_overlay_file:{ file lnk_file } r_file_perms;