diff --git a/file.te b/file.te
index 5e8687a72a975b585fdc4d560e39222021d37085..3ecb1434313c7d9189e748da86206bde6f4e6d15 100644
--- a/file.te
+++ b/file.te
@@ -154,6 +154,8 @@ type security_file, file_type;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
+# Type for fingerprint template file.
+type fingerprintd_data_file, file_type, data_file_type;
 
 # Socket types
 type adbd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 03be7b68f005edc8564d072a9095a79d3f7edddc..b298f98000447b0bb6209215f3fb1ca7d863ab32 100644
--- a/file_contexts
+++ b/file_contexts
@@ -149,6 +149,7 @@
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
 /system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
@@ -254,6 +255,9 @@
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
diff --git a/fingerprintd.te b/fingerprintd.te
new file mode 100644
index 0000000000000000000000000000000000000000..4ceb68dd352150fdf370b1fbc604c7f4f2c1d641
--- /dev/null
+++ b/fingerprintd.te
@@ -0,0 +1,23 @@
+type fingerprintd, domain;
+type fingerprintd_exec, exec_type, file_type;
+
+# fingerprintd
+init_daemon_domain(fingerprintd)
+binder_use(fingerprintd)
+
+# need to find KeyStore and add self
+allow fingerprintd fingerprintd_service:service_manager { add find };
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
diff --git a/service.te b/service.te
index 66bf5668c81e8ace40f87a8025ef6f94ff3c287f..35145febc41d8fa363a3bd550fdcb49728b27c11 100644
--- a/service.te
+++ b/service.te
@@ -2,6 +2,7 @@ type bluetooth_service,         service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
+type fingerprintd_service,      service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
diff --git a/service_contexts b/service_contexts
index e782c7d99ace84035752c8f176b928538e0fed06..c412e1b7090e6e4c4188aef3eaf51be0fe16d998 100644
--- a/service_contexts
+++ b/service_contexts
@@ -39,6 +39,7 @@ drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
 fingerprint                               u:object_r:fingerprint_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
 hardware                                  u:object_r:hardware_service:s0
diff --git a/system_server.te b/system_server.te
index c95a1f028afada126f8134da33270eae4aaeb9f7..150103ef598b052838b4ea8dff01f69318e998b9 100644
--- a/system_server.te
+++ b/system_server.te
@@ -128,6 +128,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, fingerprintd)
 binder_call(system_server, appdomain)
 binder_call(system_server, dumpstate)
 binder_service(system_server)
@@ -375,6 +376,7 @@ allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;