diff --git a/app.te b/app.te
index 37f2bc2ee00f6c685b361184dc0c85b15f27a7ca..a91d75aa16de07c77c18c4ec1610d159d9509117 100644
--- a/app.te
+++ b/app.te
@@ -405,6 +405,5 @@ neverallow appdomain {
   dev_type
   rootfs
   system_file
-  security_file
   tmpfs
 }:lnk_file no_w_file_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 127b793ece0136a3a3e458555cbe8ceda9a77312..04dcb797beef85c8c2477fa23dba727704a91f35 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -10,7 +10,6 @@ allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
 allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
-security_access_policy(debuggerd)
 allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index c876c845112a42d0c826c47ed887bbfd5257814c..5d5f7a28e3cdb805f018042590af775780cb7ee1 100644
--- a/domain.te
+++ b/domain.te
@@ -176,28 +176,12 @@ neverallow * self:capability2 mac_override;
 # Only recovery needs mac_admin to set contexts not defined in current policy.
 neverallow { domain -recovery } self:capability2 mac_admin;
 
-# Only init should be able to load SELinux policies.
-# The first load technically occurs while still in the kernel domain,
-# but this does not trigger a denial since there is no policy yet.
-# Policy reload requires allowing this to the init domain.
-neverallow { domain -init } kernel:security load_policy;
-
-# Only init and the system_server can set selinux.reload_policy 1
-# to trigger a policy reload.
-neverallow { domain -init -system_server } security_prop:property_service set;
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
 
-# Only init and system_server can write to /data/security, where runtime
-# policy updates live.
-# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
-neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
-# Only init and system_server can create/setattr directories with this type.
-# init is for init.rc mkdir /data/security.
-# system_server is for creating subdirectories under /data/security.
-neverallow { domain -init -system_server } security_file:dir { create setattr };
-# Only system_server can create subdirectories and files under /data/security.
-neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
-neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
-neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
+# Only init and the system_server shall use the property_service.
+neverallow { domain -init -system_server } security_prop:property_service set;
 
 # Only init prior to switching context should be able to set enforcing mode.
 # init starts in kernel domain and switches to init domain via setcon in
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 4da7a31906ea9b2082847eb23395208338565ca4..88b62bd57fbe120ce631dec72efb863d19b2ca72 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -64,11 +64,6 @@ r_dir_file(domain_deprecated, proc_net)
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;
 
-# /data/security files
-allow domain_deprecated security_file:dir { search getattr };
-allow domain_deprecated security_file:file getattr;
-allow domain_deprecated security_file:lnk_file r_file_perms;
-
 # World readable asec image contents
 allow domain_deprecated asec_public_file:file r_file_perms;
 allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/file.te b/file.te
index a2963a5da3cfccbe4b4266c016d761b3505368d2..2dcce5a470c744f3b6cd066df1f4ce2ab71cd92a 100644
--- a/file.te
+++ b/file.te
@@ -168,8 +168,6 @@ type asec_public_file, file_type, data_file_type;
 type asec_image_file, file_type, data_file_type;
 # /data/backup and /data/secure/backup
 type backup_data_file, file_type, data_file_type, mlstrustedobject;
-# For /data/security
-type security_file, file_type;
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
 # device policy
diff --git a/file_contexts b/file_contexts
index d98f25d7797ea26e2758986db144797ff9d25f26..c06fcbd034aedac92ba98eaed67835149d3f4888 100644
--- a/file_contexts
+++ b/file_contexts
@@ -229,7 +229,6 @@
 /data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
-/data/security(/.*)?	u:object_r:security_file:s0
 /data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
diff --git a/init.te b/init.te
index 047ea73d8ea8fa7bde1109d71122e9eaf0a909e7..2d070dea231bcc47d98a338c7e9d5e64457e08be 100644
--- a/init.te
+++ b/init.te
@@ -99,10 +99,10 @@ allow init rootfs:{ dir file } relabelfrom;
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -123,15 +123,6 @@ allow init { dev_type -kmem_device }:chr_file { read open setattr };
 allow init unlabeled:dir { create_dir_perms relabelfrom };
 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 
-# Create /data/security from init.rc post-fs-data.
-allow init security_file:dir { create setattr };
-
-# Reload policy upon setprop selinux.reload_policy 1.
-# Note: this requires the following allow rule
-#   allow init kernel:security load_policy;
-# which can be configured on a device-by-device basis if needed.
-r_dir_file(init, security_file)
-
 # Any operation that can modify the kernel ring buffer, e.g. clear
 # or a read that consumes the messages that were read.
 allow init kernel:system syslog_mod;
diff --git a/installd.te b/installd.te
index 21cd4f0b3212f72d3cc0d22d66b7d5d9628c90c5..1f83501b4c241d44c9072f046d319be0fb229b33 100644
--- a/installd.te
+++ b/installd.te
@@ -24,8 +24,6 @@ allow installd cgroup:dir create_dir_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(installd)
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
diff --git a/runas.te b/runas.te
index 4fa686a2fd40337a88baa14269e1d9bbb88e2aa4..58a1bdc1b3a00c0df6e00736a81a500924bf87e9 100644
--- a/runas.te
+++ b/runas.te
@@ -20,8 +20,6 @@ allow runas app_data_file:dir { getattr search };
 allow runas self:capability { setuid setgid };
 
 # run-as switches to the app security context.
-# read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/system_server.te b/system_server.te
index 8f794e1dfed7851d1d2dc68d7028bba4d5b463ef..f03959e3e0cde411a9eb5aacfb89969e3c1237af 100644
--- a/system_server.te
+++ b/system_server.te
@@ -266,9 +266,6 @@ allow system_server { system_app_data_file bluetooth_data_file nfc_data_file rad
 # Receive and use open /data/media files passed over binder IPC.
 allow system_server media_rw_data_file:file { getattr read write };
 
-# Read /file_contexts and /data/security/file_contexts
-security_access_policy(system_server)
-
 # Relabel apk files.
 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
diff --git a/te_macros b/te_macros
index 4d18973f4e0b6885475880d6b19d2f9c7858a60b..84af301eb022db894fcbf41dd2cc5163690d13ba 100644
--- a/te_macros
+++ b/te_macros
@@ -248,27 +248,6 @@ allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
 
-#####################################
-# security_access_policy(domain)
-# Read only access to all policy files and
-# selinuxfs
-define(`security_access_policy', `
-allow $1 security_file:dir r_dir_perms;
-allow $1 security_file:file r_file_perms;
-')
-
-#####################################
-# mmac_manage_policy(domain)
-# Ability to manage mmac policy files,
-# trigger runtime reload, change
-# mmac enforcing mode and access logcat.
-define(`mmac_manage_policy', `
-allow $1 security_file:dir create_dir_perms;
-allow $1 security_file:file create_file_perms;
-allow $1 security_file:lnk_file { create rename unlink };
-set_prop($1, security_prop)
-')
-
 #####################################
 # create_pty(domain)
 # Allow domain to create and use a pty, isolated from any other domain ptys.
diff --git a/ueventd.te b/ueventd.te
index 9eb2b1a56500c9d9cadde06e3959c7325c7cee87..003b0e69fa90485d8b00612b68501f07e1e6d568 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -8,7 +8,6 @@ tmpfs_domain(ueventd)
 type_transition ueventd device:chr_file klog_device "__kmsg__";
 allow ueventd klog_device:chr_file { create open write unlink };
 
-security_access_policy(ueventd)
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
diff --git a/vold.te b/vold.te
index 9a1ccfe3a008ad0966674affc9d1338a5c87a357..737037dfc18288650401767560d625e7e8aa52ac 100644
--- a/vold.te
+++ b/vold.te
@@ -125,7 +125,6 @@ set_prop(vold, restorecon_prop)
 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
-security_access_policy(vold)
 allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
 allow vold asec_public_file:dir { relabelto setattr };
 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
diff --git a/zygote.te b/zygote.te
index 421a54b84ae081b715b004600e0b7a816bc08d7e..e1be061c9ba6c3b6e102c1315d84829073aadf6a 100644
--- a/zygote.te
+++ b/zygote.te
@@ -43,8 +43,6 @@ allow zygote self:capability sys_admin;
 selinux_check_context(zygote)
 # Check SELinux permissions.
 selinux_check_access(zygote)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(zygote)
 
 # Native bridge functionality requires that zygote replaces
 # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount