diff --git a/attributes b/attributes
index 56655c11b19261f7f1cadf251b4345f838d865c0..e9f51ee292afbe2ddbd31f8c00d4e3459648704e 100644
--- a/attributes
+++ b/attributes
@@ -37,6 +37,9 @@ attribute data_file_type;
 # All types use for sysfs files.
 attribute sysfs_type;
 
+# All types use for debugfs files.
+attribute debugfs_type;
+
 # Attribute used for all sdcards
 attribute sdcard_type;
 
diff --git a/domain.te b/domain.te
index 02b884f15c79c61896bffdbf53edd33ff3e30f68..2e38e92b297b3149ce69d4387da257c7b8ab1c11 100644
--- a/domain.te
+++ b/domain.te
@@ -110,6 +110,12 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
 
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
 ###
 ### neverallow rules
 ###
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 8d69a7fc0277e526d91c1f1de3226ce76623f8aa..5fbeb60cb2f8d40fb551b9903c2249efe3a8a142 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -71,6 +71,11 @@ allow domain_deprecated proc_cpuinfo:file r_file_perms;
 
 # debugfs access
 allow domain_deprecated debugfs:dir r_dir_perms;
+# TODO: The following line can likely be deleted. The only reason
+# it was exposed was to allow /sys/kernel/debug/tracing/trace_marker
+# write access. This was in the days before labels could be assigned
+# to individual files on debugfs
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow domain_deprecated debugfs:file w_file_perms;
 
 # Get SELinux enforcing status.
diff --git a/file.te b/file.te
index 9251741e5a5635fc941ea7b16aaadbcfa98d7684..bab302b5566e954a691a527b7e562a3554062af8 100644
--- a/file.te
+++ b/file.te
@@ -40,6 +40,7 @@ type vfat, sdcard_type, fs_type, mlstrustedobject;
 typealias fuse alias sdcard_internal;
 typealias vfat alias sdcard_external;
 type debugfs, fs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
 type pstorefs, fs_type;
 type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
@@ -198,6 +199,7 @@ type property_contexts, file_type;
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type debugfs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
diff --git a/file_contexts b/file_contexts
index 152dfb4aeaa6b8511bc54c9ae9ca8b0d9f73b94a..075154c4b344cd30e962477fe40ea83bd98be45b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -326,6 +326,11 @@
 /sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 /sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0
 
+#############################
+# debugfs files
+#
+/sys/kernel/debug/tracing/trace_marker   u:object_r:debugfs_trace_marker:s0
+
 #############################
 # asec containers
 /mnt/asec(/.*)?             u:object_r:asec_apk_file:s0
diff --git a/init.te b/init.te
index d07c5a7b698369df121574a644992ac6ab3e327e..464f088df50aa8ad1d1d52545325dbdbd53d3676 100644
--- a/init.te
+++ b/init.te
@@ -103,8 +103,8 @@ allow init {file_type -system_file -exec_type -keystore_data_file -security_file
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
-allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
-allow init sysfs_type:{ dir file lnk_file } relabelto;
+allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;
 
diff --git a/shell.te b/shell.te
index 06d08a86e641dc53c37b41bbe91223c92a322802..cc2783cd77042bb50a0eef644f8abfa4b94c3465 100644
--- a/shell.te
+++ b/shell.te
@@ -69,12 +69,13 @@ set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 
 # systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
+# debugfs did not support labeling individual files, so we have
 # to grant read access to all of /sys/kernel/debug.
 # Directory read access and file write access is already granted
 # in domain.te.
+# TODO: Fix this now that we support labeling individual debugfs files
+# (b/18935184, https://android-review.googlesource.com/122130)
 allow shell debugfs:file r_file_perms;
-allow shell debugfs:dir search;
 allow shell atrace_exec:file rx_file_perms;
 
 userdebug_or_eng(`