diff --git a/system.te b/system.te
index cba07e326b05fb6fa38f254cf52d16a6486813ab..ef0d12e5a0332311e2d231fee41bc544679678b5 100644
--- a/system.te
+++ b/system.te
@@ -24,6 +24,15 @@ unix_socket_connect(system_app, keystore, keystore)
 # Read SELinux enforcing status.
 selinux_getenforce(system_app)
 
+bool settings_manage_selinux true;
+if (settings_manage_selinux) {
+# Allow settings app to set SELinux to enforcing
+selinux_setenforce(system_app)
+
+# Allow settings app to set SELinux booleans
+selinux_setbool(system_app)
+}
+
 #
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
diff --git a/te_macros b/te_macros
index 4afc777b033086db94d5c29b4a4b8482382dcc48..75f294c00bc953266375659aafbf03d4d9eb9030 100644
--- a/te_macros
+++ b/te_macros
@@ -208,3 +208,21 @@ define(`selinux_getenforce', `
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 ')
+
+#####################################
+# selinux_setenforce(domain)
+# Allow domain to set SELinux to enforcing.
+define(`selinux_setenforce', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setenforce;
+')
+
+#####################################
+# selinux_setbool(domain)
+# Allow domain to set SELinux booleans.
+define(`selinux_setbool', `
+allow $1 selinuxfs:dir r_dir_perms;
+allow $1 selinuxfs:file rw_file_perms;
+allow $1 kernel:security setbool;
+')