diff --git a/dhcp.te b/dhcp.te
index 2e5b3d4088b917636b63018d1348893199206ed3..32a6cccb147bb811663e2e02ba0ddcf9874ec24c 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,7 @@ allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
-allow dhcp system_prop:property_service set ;
+allow dhcp dhcp_prop:property_service set;
 allow dhcp pan_result_prop:property_service set;
 unix_socket_connect(dhcp, property, init)
 
diff --git a/init.te b/init.te
index c781849e59bd4cd69d3005f4d699ab1b1b7c6d05..191c5706984409abe1f0c1dd06e05304be6fda46 100644
--- a/init.te
+++ b/init.te
@@ -86,6 +86,9 @@ allow init self:process { setexec setfscreate setsockcreate };
 allow init property_data_file:dir create_dir_perms;
 allow init property_data_file:file create_file_perms;
 
+# Set any property.
+allow init property_type:property_service set;
+
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };
 
diff --git a/netd.te b/netd.te
index 6fe1ad313ce38d8133ed5502d064846133961a28..b7c30eb15fc40bdb40d3e0fd7a091f6497da4edd 100644
--- a/netd.te
+++ b/netd.te
@@ -31,7 +31,9 @@ allow netd sysfs:file write;
 
 # Set dhcp lease for PAN connection
 unix_socket_connect(netd, property, init)
+allow netd dhcp_prop:property_service set;
 allow netd system_prop:property_service set;
+auditallow netd system_prop:property_service set;
 
 # Connect to PAN
 domain_auto_trans(netd, dhcp_exec, dhcp)
diff --git a/property.te b/property.te
index aa1c9a8f56ac55e62da10440300bd65c81109ed4..9d6f10612405b005e6aa04623a0dcd01d64e2f07 100644
--- a/property.te
+++ b/property.te
@@ -2,10 +2,12 @@ type default_prop, property_type;
 type shell_prop, property_type;
 type debug_prop, property_type;
 type debuggerd_prop, property_type;
+type dhcp_prop, property_type;
 type radio_prop, property_type;
+type net_radio_prop, property_type;
+type system_radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;
-type rild_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dhcp_pan_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 76dcbc4d5df846ca75a702fc4fd173b517abcf87..48f7fae69d0bb00aa1ca3a78abfb16eef59bdc62 100644
--- a/property_contexts
+++ b/property_contexts
@@ -2,19 +2,17 @@
 # property service keys
 #
 #
-net.rmnet               u:object_r:radio_prop:s0
-net.gprs                u:object_r:radio_prop:s0
-net.ppp                 u:object_r:radio_prop:s0
-net.qmi                 u:object_r:radio_prop:s0
-net.lte                 u:object_r:radio_prop:s0
-net.cdma                u:object_r:radio_prop:s0
+net.rmnet               u:object_r:net_radio_prop:s0
+net.gprs                u:object_r:net_radio_prop:s0
+net.ppp                 u:object_r:net_radio_prop:s0
+net.qmi                 u:object_r:net_radio_prop:s0
+net.lte                 u:object_r:net_radio_prop:s0
+net.cdma                u:object_r:net_radio_prop:s0
+net.dns                 u:object_r:net_radio_prop:s0
+sys.usb.config          u:object_r:system_radio_prop:s0
+ril.                    u:object_r:radio_prop:s0
 gsm.                    u:object_r:radio_prop:s0
 persist.radio           u:object_r:radio_prop:s0
-net.dns                 u:object_r:radio_prop:s0
-sys.usb.config          u:object_r:radio_prop:s0
-
-ril.                    u:object_r:rild_prop:s0
-ril.cdma                u:object_r:radio_prop:s0
 
 net.                    u:object_r:system_prop:s0
 dev.                    u:object_r:system_prop:s0
@@ -24,7 +22,7 @@ sys.                    u:object_r:system_prop:s0
 sys.powerctl            u:object_r:powerctl_prop:s0
 service.                u:object_r:system_prop:s0
 wlan.                   u:object_r:system_prop:s0
-dhcp.                   u:object_r:system_prop:s0
+dhcp.                   u:object_r:dhcp_prop:s0
 dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
 bluetooth.              u:object_r:bluetooth_prop:s0
 
diff --git a/radio.te b/radio.te
index 4f1df1ff791ee9a4baa94db348cc054813e5a855..d0018eac209daf5dab3fe238460d8fe447931417 100644
--- a/radio.te
+++ b/radio.te
@@ -19,6 +19,10 @@ allow radio alarm_device:chr_file rw_file_perms;
 
 # Property service
 allow radio radio_prop:property_service set;
+allow radio net_radio_prop:property_service set;
+allow radio system_radio_prop:property_service set;
+auditallow radio net_radio_prop:property_service set;
+auditallow radio system_radio_prop:property_service set;
 
 # ctl interface
 allow radio ctl_rildaemon_prop:property_service set;
diff --git a/recovery.te b/recovery.te
index 13c21c2fecf6d5ac7d4471bda0732237b98722ef..9ee3a040a38d4c44b3843ed6f9cbfc681eef3ab3 100644
--- a/recovery.te
+++ b/recovery.te
@@ -77,6 +77,9 @@ recovery_only(`
   allow recovery powerctl_prop:property_service set;
   unix_socket_connect(recovery, property, init)
 
+  # Start/stop adbd via ctl.start adbd
+  allow recovery ctl_default_prop:property_service set;
+
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
 
diff --git a/rild.te b/rild.te
index f272862caafc0c7b8e0e93ff4260f2e1db6abdfe..d8e48d5e67f85148ab81f74391e377d2272ace4a 100644
--- a/rild.te
+++ b/rild.te
@@ -26,8 +26,11 @@ allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
 
 # property service
-allow rild rild_prop:property_service set;
 allow rild radio_prop:property_service set;
+allow rild net_radio_prop:property_service set;
+allow rild system_radio_prop:property_service set;
+auditallow rild net_radio_prop:property_service set;
+auditallow rild system_radio_prop:property_service set;
 
 # Read/Write to uart driver (for GPS)
 allow rild gps_device:chr_file rw_file_perms;
diff --git a/system_app.te b/system_app.te
index 5b9f8a0745bf863abae699c6ccec0aff947541be..eb5fa9f4cef031e648e657b8678a1bf550ca6ed2 100644
--- a/system_app.te
+++ b/system_app.te
@@ -30,7 +30,10 @@ allow system_app dalvikcache_data_file:file { write setattr };
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
-allow system_app radio_prop:property_service set;
+allow system_app net_radio_prop:property_service set;
+allow system_app system_radio_prop:property_service set;
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
 allow system_app system_prop:property_service set;
 allow system_app ctl_bugreport_prop:property_service set;
 allow system_app logd_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index 236f4c4d6b9f0c0f117bc4940059f402336862c1..619e5f906bd8c8c7333cce0c3af271e70f5a85a1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -271,7 +271,9 @@ allow system_server anr_data_file:dir relabelto;
 
 # Property Service write
 allow system_server system_prop:property_service set;
-allow system_server radio_prop:property_service set;
+allow system_server dhcp_prop:property_service set;
+allow system_server net_radio_prop:property_service set;
+allow system_server system_radio_prop:property_service set;
 allow system_server debug_prop:property_service set;
 allow system_server powerctl_prop:property_service set;
 
diff --git a/unconfined.te b/unconfined.te
index b3e374dc1c760f42e868bc09c6c6cbf91b8abb34..6b64fb95e68a3d195827412a51dbf0c3535077ce 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -109,4 +109,3 @@ allow unconfineddomain node_type:node *;
 allow unconfineddomain netif_type:netif *;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain { property_type -security_prop }:property_service set;