diff --git a/private/atrace.te b/private/atrace.te
index 1b86d3e1d37c9a926527e79e49cfd7b673876628..ac9bedbfa93d3f00928890366f95eb4e573a419b 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -2,7 +2,7 @@
 # It is spawned either by traced_probes or by init for the boottrace service.
 
 type atrace, domain, coredomain;
-type atrace_exec, exec_type, file_type;
+type atrace_exec, exec_type, file_type, system_file_type;
 
 # boottrace services uses /data/misc/boottrace/categories
 allow atrace boottrace_data_file:dir search;
diff --git a/private/audioserver.te b/private/audioserver.te
index 3c20268ea08ac29bf451e5fbaeae5feb7b04672b..09a0a97432e8a3847f1f922f3c15ce450eba32ad 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -2,7 +2,7 @@
 
 typeattribute audioserver coredomain;
 
-type audioserver_exec, exec_type, file_type;
+type audioserver_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(audioserver)
 
 r_dir_file(audioserver, sdcard_type)
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 43d273bd0f4340ea32095474d382b2d7ab3ac044..51310d18032c57e951557ba20c2e7eb383ebb52e 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -1,5 +1,5 @@
 type blank_screen, domain, coredomain;
-type blank_screen_exec, exec_type, file_type;
+type blank_screen_exec, exec_type, file_type, system_file_type;
 
 init_daemon_domain(blank_screen)
 
diff --git a/private/blkid.te b/private/blkid.te
index 090912b82140c6a108afacc0a80b4f822413f28f..4e972ab95d9168b08d01eaa49190758b7ae84b62 100644
--- a/private/blkid.te
+++ b/private/blkid.te
@@ -2,7 +2,7 @@
 
 typeattribute blkid coredomain;
 
-type blkid_exec, exec_type, file_type;
+type blkid_exec, system_file_type, exec_type, file_type;
 
 # Allowed read-only access to encrypted devices to extract UUID/label
 allow blkid block_device:dir search;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0b338117717ed613eb16b8bffce0afaa965885fd..83a74a20977345de0bbc63026412b15f7329d8de 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,6 +1,6 @@
 # bpf program loader
 type bpfloader, domain;
-type bpfloader_exec, exec_type, file_type;
+type bpfloader_exec, system_file_type, exec_type, file_type;
 typeattribute bpfloader coredomain;
 
 # Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 7d01ef5b822661b5f35fb09a225fe3f46ecd18d4..212608bca0e8cf801b03dd3904087f1b73b7c117 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,6 +1,6 @@
 # dexoptanalyzer
 type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, exec_type, file_type;
+type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
 
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 49ef1781bb0e5f0296e44d3784958c607d2f1382..7aa28aa29e35452ecfe7500472c2cc269e558fbe 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -1,5 +1,5 @@
 type hal_allocator_default, domain, coredomain;
 hal_server_domain(hal_allocator_default, hal_allocator)
 
-type hal_allocator_default_exec, exec_type, file_type;
+type hal_allocator_default_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_allocator_default)
diff --git a/private/hal_system_suspend_default.te b/private/hal_system_suspend_default.te
index 293f3ded59e5ef8a18ad7f578a9a59e6d910a6cf..c948051ebd3e1a037eac752cbd9c44223e60143f 100644
--- a/private/hal_system_suspend_default.te
+++ b/private/hal_system_suspend_default.te
@@ -1,5 +1,5 @@
 type hal_system_suspend_default, domain, coredomain;
 hal_server_domain(hal_system_suspend_default, hal_system_suspend)
 
-type hal_system_suspend_default_exec, exec_type, file_type;
+type hal_system_suspend_default_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_system_suspend_default)
diff --git a/private/incident.te b/private/incident.te
index 1844898ea56406dc0909bcefe7555f244ebc6218..98101e031394d9ec2f2bce8eefb0e7423c57fd00 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -1,6 +1,6 @@
 typeattribute incident coredomain;
 
-type incident_exec, exec_type, file_type;
+type incident_exec, system_file_type, exec_type, file_type;
 
 # switch to incident domain for incident command
 domain_auto_trans(shell, incident_exec, incident)
diff --git a/private/incident_helper.te b/private/incident_helper.te
index e1e3fc826b3af9d72378e6cbefb8b8d276790dda..078aa246be0b545e1457f9b22f4afde3e57a5766 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -1,6 +1,6 @@
 typeattribute incident_helper coredomain;
 
-type incident_helper_exec, exec_type, file_type;
+type incident_helper_exec, system_file_type, exec_type, file_type;
 
 # switch to incident_helper domain for incident_helper command
 domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
diff --git a/private/incidentd.te b/private/incidentd.te
index 334c24369b779271f2bf640ef25aa5a06bd5747c..7ad3a30c22b3da799c8c419fa38385fde8017125 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -2,7 +2,7 @@ typeattribute incidentd coredomain;
 typeattribute incidentd mlstrustedsubject;
 
 init_daemon_domain(incidentd)
-type incidentd_exec, exec_type, file_type;
+type incidentd_exec, system_file_type, exec_type, file_type;
 binder_use(incidentd)
 wakelock_use(incidentd)
 
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 943f9794cf451c3e7317c5c3c15e3ff54b20c985..98e95dab3b8a1e867e0e04a6c16f81050cd33fdd 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -3,7 +3,7 @@
 typeattribute mdnsd coredomain;
 typeattribute mdnsd mlstrustedsubject;
 
-type mdnsd_exec, exec_type, file_type;
+type mdnsd_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(mdnsd)
 
 net_domain(mdnsd)
diff --git a/private/perfetto.te b/private/perfetto.te
index 9ac5d8761223a44e6ec5f0069ceaffbbaac544be..c068dc517c89292354ca73902651512282eefca3 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -4,7 +4,7 @@
 # daemon.
 
 type perfetto, domain, coredomain;
-type perfetto_exec, exec_type, file_type;
+type perfetto_exec, system_file_type, exec_type, file_type;
 
 tmpfs_domain(perfetto);
 
diff --git a/private/stats.te b/private/stats.te
index 4b29cf37f9ebaadf6fcb2222e78927fddca3b45d..818d9f9d34f65835167f700a94a001d73ae42afa 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -1,6 +1,6 @@
 type stats, domain;
 typeattribute stats coredomain;
-type stats_exec, exec_type, file_type;
+type stats_exec, system_file_type, exec_type, file_type;
 
 # switch to stats domain for stats command
 domain_auto_trans(shell, stats_exec, stats)
diff --git a/private/storaged.te b/private/storaged.te
index 8f70531a73844a245c464a566d9c789189b37388..0e31483ff65445ff532410221b745bbd90660964 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -1,6 +1,6 @@
 # storaged daemon
 type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, exec_type, file_type;
+type storaged_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(storaged)
 
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a5ebfb0e0c50736c166ea293028769a7cd64960c..000ebe1c3bcffc777db8efae6f1b8756e9b0ec05 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -2,7 +2,7 @@
 
 typeattribute surfaceflinger coredomain;
 
-type surfaceflinger_exec, exec_type, file_type;
+type surfaceflinger_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(surfaceflinger)
 
 typeattribute surfaceflinger mlstrustedsubject;
diff --git a/private/traced.te b/private/traced.te
index 49edc51749fc82a8466c2d05ef14fdc953fe495f..6571938fb6e657ad07676e5c0dd6f9c985909745 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,6 +1,6 @@
 # Perfetto user-space tracing daemon (unprivileged)
 type traced, domain, coredomain, mlstrustedsubject;
-type traced_exec, exec_type, file_type;
+type traced_exec, system_file_type, exec_type, file_type;
 
 # Allow init to exec the daemon.
 init_daemon_domain(traced)
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 83dbe45b36d6223543ba362bb349ebc8d2a22c5a..e17329363ee5eb0c2b674a21939f2166d13542fd 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -1,5 +1,5 @@
 # Perfetto tracing probes, has tracefs access.
-type traced_probes_exec, exec_type, file_type;
+type traced_probes_exec, system_file_type, exec_type, file_type;
 
 # Allow init to exec the daemon.
 init_daemon_domain(traced_probes)
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index 8b8dd2927bfaca128d8fc8086c9952a0622fd061..85a28da5f8b4cca8d64b8f40255af4de2a97dff9 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -1,6 +1,6 @@
 # wait_for_keymaster service
 type wait_for_keymaster, domain, coredomain;
-type wait_for_keymaster_exec, exec_type, file_type;
+type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(wait_for_keymaster)
 
diff --git a/public/adbd.te b/public/adbd.te
index 82373fd1d959d05c06bd0fcac0ccbd3a4c71c3f4..68a176ca6767417c7e6bb5c6dec652de68bdbc7d 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -1,7 +1,7 @@
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
-type adbd_exec, exec_type, file_type;
+type adbd_exec, exec_type, file_type, system_file_type;
 
 # Only init is allowed to enter the adbd domain via exec()
 neverallow { domain -init } adbd:process transition;
diff --git a/public/attributes b/public/attributes
index ecfe3739129ad9b6f76738ce67fc8f9526e223f2..1ef92263d702275fa931f5e9df1288303944c94f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -33,6 +33,10 @@ expandattribute data_file_type false;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
 expandattribute core_data_file_type false;
+
+# All types in /system
+attribute system_file_type;
+
 # All types in /vendor
 attribute vendor_file_type;
 
diff --git a/public/bootanim.te b/public/bootanim.te
index 32602273d1a99b497fc0106d6eb4f509810c00ea..e8cb98bbcfad18f7cb70297310f103a0c1cecdf7 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -1,6 +1,6 @@
 # bootanimation oneshot service
 type bootanim, domain;
-type bootanim_exec, exec_type, file_type;
+type bootanim_exec, system_file_type, exec_type, file_type;
 
 hal_client_domain(bootanim, hal_configstore)
 hal_client_domain(bootanim, hal_graphics_allocator)
diff --git a/public/bootstat.te b/public/bootstat.te
index 7ba02381524e670a24e01a4846519b7bb2d60f76..ce14c2f739b956ae09e2abfb6d94621cdacdcb9b 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -1,6 +1,6 @@
 # bootstat command
 type bootstat, domain;
-type bootstat_exec, exec_type, file_type;
+type bootstat_exec, system_file_type, exec_type, file_type;
 
 read_runtime_log_tags(bootstat)
 
diff --git a/public/bufferhubd.te b/public/bufferhubd.te
index 10826d3ddf8e918253c80918eb14fc23a3c40b73..7acfa695206e74c5b80c979607ee96aeef5f988a 100644
--- a/public/bufferhubd.te
+++ b/public/bufferhubd.te
@@ -1,6 +1,6 @@
 # bufferhubd
 type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, exec_type, file_type;
+type bufferhubd_exec, system_file_type, exec_type, file_type;
 
 hal_client_domain(bufferhubd, hal_graphics_allocator)
 
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 3fdca537e0fe0faf29bc7c662c9a15801c4227c8..ba45228588c73bd4c440061dbc1a6c425aa376e4 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -1,6 +1,6 @@
 # cameraserver - camera daemon
 type cameraserver, domain;
-type cameraserver_exec, exec_type, file_type;
+type cameraserver_exec, system_file_type, exec_type, file_type;
 
 binder_use(cameraserver)
 binder_call(cameraserver, binderservicedomain)
diff --git a/public/clatd.te b/public/clatd.te
index 53d6582c1525d577676237c40504c765b456bbd1..5c9d724dbd9d5fa1209003bbc11a7efadac5b544 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -1,6 +1,6 @@
 # 464xlat daemon
 type clatd, domain;
-type clatd_exec, exec_type, file_type;
+type clatd_exec, system_file_type, exec_type, file_type;
 
 net_domain(clatd)
 
diff --git a/public/cppreopts.te b/public/cppreopts.te
index fb9855eeaad407ffdef80c8393baf888b05f37e2..623391e8bf94afa67ed4bed29f611f3b9a3e2af6 100644
--- a/public/cppreopts.te
+++ b/public/cppreopts.te
@@ -5,7 +5,7 @@
 # directories.
 
 type cppreopts, domain, mlstrustedsubject;
-type cppreopts_exec, exec_type, file_type;
+type cppreopts_exec, system_file_type, exec_type, file_type;
 
 # Allow cppreopts copy files into the dalvik-cache
 allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 65e6a65e9fca4f286e39ce79805604ba2dd761ab..ec33df329cc0585209c622294dd1fcd4d19362ae 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -1,5 +1,5 @@
 type crash_dump, domain;
-type crash_dump_exec, exec_type, file_type;
+type crash_dump_exec, system_file_type, exec_type, file_type;
 
 # crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
 # which will result in an audit log even when it's allowed to trace.
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 2e96352fc6a4e1151a757cf95269a1398e724734..0a046c65fa0a632eac581c0020d5a6833ab02b19 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -1,6 +1,6 @@
 # dex2oat
 type dex2oat, domain;
-type dex2oat_exec, exec_type, file_type;
+type dex2oat_exec, system_file_type, exec_type, file_type;
 
 r_dir_file(dex2oat, apk_data_file)
 # Access to /vendor/app
diff --git a/public/dhcp.te b/public/dhcp.te
index 6ed983260c9f877f2494d2c15a080bdab338f04b..4f2369d2d061fb8b9bbc12d9c2b4f85378d927bd 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,5 +1,5 @@
 type dhcp, domain;
-type dhcp_exec, exec_type, file_type;
+type dhcp_exec, system_file_type, exec_type, file_type;
 
 net_domain(dhcp)
 
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index e97e964e5222f1d5b3fd75b39c7de7f5cbe5c03a..62e1a328ed00195428761458d1ce57c3dadd1979 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -1,6 +1,6 @@
 # DNS, DHCP services
 type dnsmasq, domain;
-type dnsmasq_exec, exec_type, file_type;
+type dnsmasq_exec, system_file_type, exec_type, file_type;
 
 net_domain(dnsmasq)
 allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/domain.te b/public/domain.te
index 669c3c2ebc81ac694578d351a1de40900a2e77aa..5e8fb230bfe2bb441adb36a0cbb3f944ba448aaa 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -454,7 +454,7 @@ neverallow {
     userdebug_or_eng(`-mediaextractor')
 } {
     file_type
-    -system_file
+    -system_file_type
     -system_lib_file
     -system_linker_exec
     -vendor_file_type
@@ -503,16 +503,16 @@ neverallow {
     domain
     with_asan(`-asan_extract')
 } {
-    system_file
+    system_file_type
     vendor_file_type
     exec_type
 }:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
 
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
+neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -1109,7 +1109,7 @@ full_treble_only(`
 #    -appdomain
 #    -coredomain
 #    -vendor_executes_system_violators
-#  } system_file:file *;
+#  } system_file_type:file *;
 #')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/drmserver.te b/public/drmserver.te
index 23ba9a6d77962a24b3f6ab59f39ef7639dc9d867..4a101478a982ef0b034571a522ad9341f3836caf 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -1,6 +1,6 @@
 # drmserver - DRM service
 type drmserver, domain;
-type drmserver_exec, exec_type, file_type;
+type drmserver_exec, system_file_type, exec_type, file_type;
 
 typeattribute drmserver mlstrustedsubject;
 
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 295217dfdeb50cf6c323a02fe496b0f3afcffa01..2d226afb3ee06d48f0a71014aca0c38f858dab80 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,6 +1,6 @@
 # dumpstate
 type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, exec_type, file_type;
+type dumpstate_exec, system_file_type, exec_type, file_type;
 
 net_domain(dumpstate)
 binder_use(dumpstate)
diff --git a/public/e2fs.te b/public/e2fs.te
index 6fcd0c2fb8791f16ae3216a2e510dcdf732cd4e0..ea9981dd04e04de32833516ab85841356db441cb 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,5 +1,5 @@
 type e2fs, domain, coredomain;
-type e2fs_exec, exec_type, file_type;
+type e2fs_exec, system_file_type, exec_type, file_type;
 
 allow e2fs devpts:chr_file { read write getattr ioctl };
 
diff --git a/public/file.te b/public/file.te
index 44162271aa09a70446071c2c6b0c1cb28ccd426f..e567a65602550b9fd8636679a07fb36dc80af745 100644
--- a/public/file.te
+++ b/public/file.te
@@ -131,19 +131,19 @@ type app_fusefs, fs_type, contextmount_type;
 type unlabeled, file_type;
 
 # Default type for anything under /system.
-type system_file, file_type;
+type system_file, system_file_type, file_type;
 # Default type for anything under /system/lib[64].
-type system_lib_file, file_type;
+type system_lib_file, system_file_type, file_type;
 # Default type for linker executable /system/bin/linker[64].
-type system_linker_exec, file_type;
+type system_linker_exec, system_file_type, file_type;
 # Default type for linker config /system/etc/ld.config.*.
-type system_linker_config_file, file_type;
+type system_linker_config_file, system_file_type, file_type;
 # Default type for linker config /system/etc/seccomp_policy/*.
-type system_seccomp_policy_file, file_type;
+type system_seccomp_policy_file, system_file_type, file_type;
 # Default type for cacerts in /system/etc/security/cacerts/*.
-type system_security_cacerts_file, file_type;
+type system_security_cacerts_file, system_file_type, file_type;
 # Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
-type system_zoneinfo_file, file_type;
+type system_zoneinfo_file, system_file_type, file_type;
 
 # Default type for directories search for
 # HAL implementations
@@ -175,7 +175,7 @@ type vold_metadata_file, file_type;
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
-type logcat_exec, exec_type, file_type;
+type logcat_exec, system_file_type, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
 type coredump_file, file_type;
 # Default type for anything under /data.
@@ -385,28 +385,28 @@ pdx_service_socket_types(performance_client, pdx_performance_dir)
 pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
 
 # file_contexts files
-type file_contexts_file, file_type;
+type file_contexts_file, system_file_type, file_type;
 
 # mac_permissions file
-type mac_perms_file, file_type;
+type mac_perms_file, system_file_type, file_type;
 
 # property_contexts file
-type property_contexts_file, file_type;
+type property_contexts_file, system_file_type, file_type;
 
 # seapp_contexts file
-type seapp_contexts_file, file_type;
+type seapp_contexts_file, system_file_type, file_type;
 
 # sepolicy files binary and others
-type sepolicy_file, file_type;
+type sepolicy_file, system_file_type, file_type;
 
 # service_contexts file
-type service_contexts_file, file_type;
+type service_contexts_file, system_file_type, file_type;
 
 # nonplat service_contexts file (only accessible on non full-treble devices)
 type nonplat_service_contexts_file, file_type;
 
 # hwservice_contexts file
-type hwservice_contexts_file, file_type;
+type hwservice_contexts_file, system_file_type, file_type;
 
 # vndservice_contexts file
 type vndservice_contexts_file, file_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 2dc1107214ab9b619116d2d9780e068f0180e5ee..ff7a884e3ffd8f7039c7a0d4d4f0c1eb4acd9d95 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,5 +1,5 @@
 type fingerprintd, domain;
-type fingerprintd_exec, exec_type, file_type;
+type fingerprintd_exec, system_file_type, exec_type, file_type;
 
 binder_use(fingerprintd)
 
diff --git a/public/fsck.te b/public/fsck.te
index c5219d8ab6646ea3dcb0a90dfb68429def33363e..32462ea5b5ba2eb3453ccbd3aadfe2fe3d2323b4 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -1,6 +1,6 @@
 # Any fsck program run by init
 type fsck, domain;
-type fsck_exec, exec_type, file_type;
+type fsck_exec, system_file_type, exec_type, file_type;
 
 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by fsck.
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 2fc36279de01bfd3bd57e1a7a9b48384ec994a3e..40c9a075bbee44a2003597b5164fdfe0a8bfa52c 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -1,5 +1,5 @@
 type gatekeeperd, domain;
-type gatekeeperd_exec, exec_type, file_type;
+type gatekeeperd_exec, system_file_type, exec_type, file_type;
 
 # gatekeeperd
 binder_service(gatekeeperd)
diff --git a/public/healthd.te b/public/healthd.te
index a3dd58badbc8c9298a578f34b34834a99daaf848..a383dcf2119c497a09370edfa253a0c3769b753a 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -1,6 +1,6 @@
 # healthd - battery/charger monitoring service daemon
 type healthd, domain;
-type healthd_exec, exec_type, file_type;
+type healthd_exec, system_file_type, exec_type, file_type;
 
 # Write to /dev/kmsg
 allow healthd kmsg_device:chr_file rw_file_perms;
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 1ffd2a67ec4074501fada827daf29d3b92a80031..7f0381564ebd26362c209ad228e3c726f9a58fe9 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -1,6 +1,6 @@
 # hwservicemanager - the Binder context manager for HAL services
 type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, exec_type, file_type;
+type hwservicemanager_exec, system_file_type, exec_type, file_type;
 
 # Note that we do not use the binder_* macros here.
 # hwservicemanager provides name service (aka context manager)
diff --git a/public/idmap.te b/public/idmap.te
index 3f336a32dfd2f2a4740a372056385f9eb45a3994..0899faa2ad4c4e445052b4639182465724e3ae6d 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -1,6 +1,6 @@
 # idmap, when executed by installd
 type idmap, domain;
-type idmap_exec, exec_type, file_type;
+type idmap_exec, system_file_type, exec_type, file_type;
 
 # Use open file to /data/resource-cache file inherited from installd.
 allow idmap installd:fd use;
diff --git a/public/init.te b/public/init.te
index 36d9800ead38035ac65317ff1eabf7cedc33f1a6..101c0c86380dab7bdc35a8e058e17bec1881c233 100644
--- a/public/init.te
+++ b/public/init.te
@@ -2,7 +2,7 @@
 type init, domain, mlstrustedsubject;
 
 # The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
+type init_exec, system_file_type, exec_type, file_type;
 
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
@@ -147,7 +147,7 @@ allow init {
   -nativetest_data_file
   -privapp_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
 }:dir { create search getattr open read setattr ioctl };
 
@@ -161,7 +161,7 @@ allow init {
   -privapp_data_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:dir { write add_name remove_name rmdir relabelfrom };
@@ -177,7 +177,7 @@ allow init {
   -runtime_event_log_tags_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
@@ -192,7 +192,7 @@ allow init {
   -privapp_data_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -207,14 +207,14 @@ allow init {
   -privapp_data_file
   -shell_data_file
   -system_app_data_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
 # does init really need to relabel app data?
 userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
diff --git a/public/inputflinger.te b/public/inputflinger.te
index e5f12a0c154fdc398a898dfdc1dde1f9d11c5ec5..f206c05e78ae73b9da5b612d8e8acb159098908d 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -1,6 +1,6 @@
 # inputflinger
 type inputflinger, domain;
-type inputflinger_exec, exec_type, file_type;
+type inputflinger_exec, system_file_type, exec_type, file_type;
 
 binder_use(inputflinger)
 binder_service(inputflinger)
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 24819c2ea414c78f1052174c574ce5bb59fdb002..0aee9ab03b6e4eb36804c9e92fb2c7bcad45f568 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -1,6 +1,6 @@
 # service flash_recovery in init.rc
 type install_recovery, domain;
-type install_recovery_exec, exec_type, file_type;
+type install_recovery_exec, system_file_type, exec_type, file_type;
 
 allow install_recovery self:global_capability_class_set { dac_override dac_read_search };
 
diff --git a/public/installd.te b/public/installd.te
index 12495c435a62ee42d18f0c8aea0e51f8acfb54d9..8a761663e247338b721891b8cbffae478081a01a 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -1,6 +1,6 @@
 # installer daemon
 type installd, domain;
-type installd_exec, exec_type, file_type;
+type installd_exec, system_file_type, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
 allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
 
diff --git a/public/keystore.te b/public/keystore.te
index 49355bd952c64ea46ece62f579338f9f4b386954..e869f32d22d93f6a697938f632b5d7826096b2b5 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,5 +1,5 @@
 type keystore, domain;
-type keystore_exec, exec_type, file_type;
+type keystore_exec, system_file_type, exec_type, file_type;
 
 # keystore daemon
 typeattribute keystore mlstrustedsubject;
diff --git a/public/llkd.te b/public/llkd.te
index afc508d4f659e12169e97cc093d24b2e63be3cb2..1faa429957ce195b210b6c5edbf83d42757cf958 100644
--- a/public/llkd.te
+++ b/public/llkd.te
@@ -1,3 +1,3 @@
 # llkd Live LocK Daemon
 type llkd, domain, mlstrustedsubject;
-type llkd_exec, exec_type, file_type;
+type llkd_exec, system_file_type, exec_type, file_type;
diff --git a/public/lmkd.te b/public/lmkd.te
index 2eb2ccacadc6bef1612bf6530d8b33587159382c..54199e10afd91aeda18ad863ea174e0316f30862 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -1,6 +1,6 @@
 # lmkd low memory killer daemon
 type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
+type lmkd_exec, system_file_type, exec_type, file_type;
 
 allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
 
diff --git a/public/logd.te b/public/logd.te
index 91ef54573638fd0b112ea748431522c1861388c6..a26aa25d364b9b9aaaa0597a05f82241de623518 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -1,6 +1,6 @@
 # android user-space log manager
 type logd, domain, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
+type logd_exec, system_file_type, exec_type, file_type;
 
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 059be7be9ccbf219933b797a6222e95d960cb837..a52295e2cb1c8cd211d53a1cad5cd811079c5f6d 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -1,6 +1,6 @@
 # mediadrmserver - mediadrm daemon
 type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
+type mediadrmserver_exec, system_file_type, exec_type, file_type;
 
 typeattribute mediadrmserver mlstrustedsubject;
 
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index ec9c6345a478a93e33693526ef12a2f28d8afb7e..9e07efd390ba21ff47adcfbfeb013d4feebe87b4 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -1,6 +1,6 @@
 # mediaextractor - multimedia daemon
 type mediaextractor, domain;
-type mediaextractor_exec, exec_type, file_type;
+type mediaextractor_exec, system_file_type, exec_type, file_type;
 
 typeattribute mediaextractor mlstrustedsubject;
 
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 1c8f5b80b1548e4d2051f3bf8211fe1414193598..622e16968b0affee66c3df68dc943143249eecb2 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -1,6 +1,6 @@
 # mediametrics - daemon for collecting media.metrics data
 type mediametrics, domain;
-type mediametrics_exec, exec_type, file_type;
+type mediametrics_exec, system_file_type, exec_type, file_type;
 
 
 binder_use(mediametrics)
diff --git a/public/mediaserver.te b/public/mediaserver.te
index a197a4482bf1eb16b431f24e8b219e781ad70c3e..6a7b0c7a4048e49407e43f8b0a5dc60696adc380 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -1,6 +1,6 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-type mediaserver_exec, exec_type, file_type;
+type mediaserver_exec, system_file_type, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
 
diff --git a/public/mtp.te b/public/mtp.te
index 7256bcf55795a13aa6485b35fecb09f88bb2ae34..c744343cf9fdeabe94e0478ff83929c74aec7d2c 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,6 +1,6 @@
 # vpn tunneling protocol manager
 type mtp, domain;
-type mtp_exec, exec_type, file_type;
+type mtp_exec, system_file_type, exec_type, file_type;
 
 net_domain(mtp)
 
diff --git a/public/netd.te b/public/netd.te
index a4a65a98cd68091b4cf04bf08a450927466052a0..241380b2149c16dd5a79b6fc1c573b4235d796d2 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -1,6 +1,6 @@
 # network manager
 type netd, domain, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
+type netd_exec, system_file_type, exec_type, file_type;
 
 net_domain(netd)
 # in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
diff --git a/public/netutils_wrapper.te b/public/netutils_wrapper.te
index c844762c8cae0c244d0ad3f828e6ce34d3b3475f..27aa7496cab2c9a942f482a1a3822f516f9762c8 100644
--- a/public/netutils_wrapper.te
+++ b/public/netutils_wrapper.te
@@ -1,4 +1,4 @@
 type netutils_wrapper, domain;
-type netutils_wrapper_exec, exec_type, file_type;
+type netutils_wrapper_exec, system_file_type, exec_type, file_type;
 
 neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index 894363ab1fa6eba41a371b16287a5472ccb20300..902708b1bf91baf7ae0fc1837f8dbf00927c459d 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -1,6 +1,6 @@
 # otapreopt_chroot executable
 type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, exec_type, file_type;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
 
 # Chroot preparation and execution.
 # We need to create an unshared mount namespace, and then mount /data.
diff --git a/public/otapreopt_slot.te b/public/otapreopt_slot.te
index 6551864c34463246023dd1f0e9bfb3f782329a28..5726e2e01625bf3241c4772224745a26eade98ab 100644
--- a/public/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -4,7 +4,7 @@
 # from /data/ota to /data/dalvik-cache.
 
 type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, exec_type, file_type;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
 
 
 # The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
diff --git a/public/performanced.te b/public/performanced.te
index 248d345d1518e9246db4794bfedbc0153707199c..7dcb5ea1ed58998db02111aedb4d962ac09c0862 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -1,6 +1,6 @@
 # performanced
 type performanced, domain, mlstrustedsubject;
-type performanced_exec, exec_type, file_type;
+type performanced_exec, system_file_type, exec_type, file_type;
 
 # Needed to check for app permissions.
 binder_use(performanced)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f780a0db7687c499a6395955f83d97954968c686..a0fcf3751d52f3186cbfe845576b03f789b477ec 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -1,6 +1,6 @@
 # perfprofd - perf profile collection daemon
 type perfprofd, domain;
-type perfprofd_exec, exec_type, file_type;
+type perfprofd_exec, system_file_type, exec_type, file_type;
 
 userdebug_or_eng(`
 
diff --git a/public/ppp.te b/public/ppp.te
index 8d79477c229d49466a1c2575926212d7d2d10611..0fc3bee81931aeb963eeac044b174314229fd78d 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,7 +1,7 @@
 # Point to Point Protocol daemon
 type ppp, domain;
 type ppp_device, dev_type;
-type ppp_exec, exec_type, file_type;
+type ppp_exec, system_file_type, exec_type, file_type;
 
 net_domain(ppp)
 
diff --git a/public/preopt2cachename.te b/public/preopt2cachename.te
index 514100fdcd267117d4ed868c3b0732849ce1a074..de70c9fbf03f6153a930dfabde388d92a3c3dfc7 100644
--- a/public/preopt2cachename.te
+++ b/public/preopt2cachename.te
@@ -3,7 +3,7 @@
 # This executable translates names from the preopted versions the build system
 # creates to the names the runtime expects in the data directory.
 type preopt2cachename, domain;
-type preopt2cachename_exec, exec_type, file_type;
+type preopt2cachename_exec, system_file_type, exec_type, file_type;
 
 # Allow write to stdout.
 allow preopt2cachename cppreopts:fd use;
diff --git a/public/profman.te b/public/profman.te
index 364e9f73f9474ec1ee146980ef59013fb902eb71..8ff62710e41c62d2ac1310945a46c5cfc1f93e90 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -1,6 +1,6 @@
 # profman
 type profman, domain;
-type profman_exec, exec_type, file_type;
+type profman_exec, system_file_type, exec_type, file_type;
 
 allow profman user_profile_data_file:file { getattr read write lock map };
 
diff --git a/public/racoon.te b/public/racoon.te
index c759217a061214f629028d3a9f88063e6d8b8ec7..7d1247a81df5308277d58793b135d11d2c1373ba 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -1,6 +1,6 @@
 # IKE key management daemon
 type racoon, domain;
-type racoon_exec, exec_type, file_type;
+type racoon_exec, system_file_type, exec_type, file_type;
 
 typeattribute racoon mlstrustedsubject;
 
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index d3dc14cb453e30b0adfd2d1236eb7eef8b50d001..d4b4562019a1c8997ba4339b70295cdee15e0b24 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -1,6 +1,6 @@
 # android recovery persistent log manager
 type recovery_persist, domain;
-type recovery_persist_exec, exec_type, file_type;
+type recovery_persist_exec, system_file_type, exec_type, file_type;
 
 allow recovery_persist pstorefs:dir search;
 allow recovery_persist pstorefs:file r_file_perms;
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index 0c76afdc0f485d9faef915911cb46ccd7767fb83..d6870dcb2cca489eb36505d1fdb853e09d8488a7 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -1,6 +1,6 @@
 # android recovery refresh log manager
 type recovery_refresh, domain;
-type recovery_refresh_exec, exec_type, file_type;
+type recovery_refresh_exec, system_file_type, exec_type, file_type;
 
 allow recovery_refresh pstorefs:dir search;
 allow recovery_refresh pstorefs:file r_file_perms;
diff --git a/public/runas.te b/public/runas.te
index 6c5de7cf8e80eca8f45e53e60fae1c092d3aea77..b1daa31b9546671db118e834811c294e69661cba 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,5 +1,5 @@
 type runas, domain, mlstrustedsubject;
-type runas_exec, exec_type, file_type;
+type runas_exec, system_file_type, exec_type, file_type;
 
 allow runas adbd:fd use;
 allow runas adbd:process sigchld;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 6749d16e51c796d49008fa2529e20c987785ce5f..6d9edfab52bad5da95b0bf7a235e962e746e8774 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,5 +1,5 @@
 type sdcardd, domain;
-type sdcardd_exec, exec_type, file_type;
+type sdcardd_exec, system_file_type, exec_type, file_type;
 
 allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 87e3a221790c4f43ff4e9cb1c7f8b05d6051202d..df209413feeff53c7c2c7274ecd312e7cb85f8a5 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -1,6 +1,6 @@
 # servicemanager - the Binder context manager
 type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, exec_type, file_type;
+type servicemanager_exec, system_file_type, exec_type, file_type;
 
 # Note that we do not use the binder_* macros here.
 # servicemanager is unique in that it only provides
diff --git a/public/sgdisk.te b/public/sgdisk.te
index ca3096cefcb1a0fa317a7a4221dd3830f37e1132..7a7ba82262713f19d78500f6b280d1959629e95b 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -1,6 +1,6 @@
 # sgdisk called from vold
 type sgdisk, domain;
-type sgdisk_exec, exec_type, file_type;
+type sgdisk_exec, system_file_type, exec_type, file_type;
 
 # Allowed to read/write low-level partition tables
 allow sgdisk block_device:dir search;
diff --git a/public/shell.te b/public/shell.te
index 9569d97196349120672d0ef1706f693e45a89045..1b199a3404260892ae29f86fe752f43523f104ba 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -1,6 +1,6 @@
 # Domain for shell processes spawned by ADB or console service.
 type shell, domain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
+type shell_exec, system_file_type, exec_type, file_type;
 
 # Create and use network sockets.
 net_domain(shell)
diff --git a/public/statsd.te b/public/statsd.te
index c108805cbdbd9b7a00479d67b27eb460b22990f3..9c8e9d24c7e5e56b684e5d69ea82f9b1996b9ae0 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -1,6 +1,6 @@
 type statsd, domain, mlstrustedsubject;
 
-type statsd_exec, exec_type, file_type;
+type statsd_exec, system_file_type, exec_type, file_type;
 binder_use(statsd)
 
 # Allow statsd to scan through /proc/pid for all processes.
diff --git a/public/su.te b/public/su.te
index f397d73dd2969a4433bcec5df278a390fae6ba81..5952ab8ea45757023315812083676b912029788b 100644
--- a/public/su.te
+++ b/public/su.te
@@ -3,7 +3,7 @@
 type su, domain;
 
 # File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
+type su_exec, system_file_type, exec_type, file_type;
 
 userdebug_or_eng(`
   # Domain used for su processes, as well as for adbd and adb shell
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index 90140b2b9976c4b2243f40194a8734b06adcf017..1353e4300084ded321d67242b52bb42cc8e2e913 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -1,6 +1,6 @@
 # thermalserviced -- thermal management services for system and vendor
 type thermalserviced, domain;
-type thermalserviced_exec, exec_type, file_type;
+type thermalserviced_exec, system_file_type, exec_type, file_type;
 
 binder_use(thermalserviced)
 binder_service(thermalserviced)
diff --git a/public/tombstoned.te b/public/tombstoned.te
index 9c75c976a5bd6299605183bc1dfc8323c385af46..ea2abbb75230146c32dae2ccdc0318fab10884a1 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -1,6 +1,6 @@
 # debugger interface
 type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, exec_type, file_type;
+type tombstoned_exec, system_file_type, exec_type, file_type;
 
 # Write to arbitrary pipes given to us.
 allow tombstoned domain:fd use;
diff --git a/public/toolbox.te b/public/toolbox.te
index 59c3a9c73cfe2686245515d7baa91576fe9a3c54..19cc3b6fea5b60644133af08149c5497bf0a5245 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -2,7 +2,7 @@
 # At present, the only known usage is for running mkswap via fs_mgr.
 # Do NOT use this domain for toolbox when run by any other domain.
 type toolbox, domain;
-type toolbox_exec, exec_type, file_type;
+type toolbox_exec, system_file_type, exec_type, file_type;
 
 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by fsck.
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
index 6f60c8e2a483b5b6d28752c3e2ac211afe259488..cf9b95de9e3b5a9652e702875f7dfbabedf90cf8 100644
--- a/public/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -1,6 +1,6 @@
 # The tzdatacheck command run by init.
 type tzdatacheck, domain;
-type tzdatacheck_exec, exec_type, file_type;
+type tzdatacheck_exec, system_file_type, exec_type, file_type;
 
 allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
 allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index a0fb372282da1eced2ad2b479fe862f9e554a7eb..28dc3f20985dc8f0cc6617975acbd18d428787c4 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -1,6 +1,6 @@
 # uncrypt
 type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, exec_type, file_type;
+type uncrypt_exec, system_file_type, exec_type, file_type;
 
 allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
 
diff --git a/public/update_engine.te b/public/update_engine.te
index 26b0581d1086ff2dc9dd5e5d59392a76172c1670..d13be7d286f4f686b6a723366f7daf557df727bb 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,6 +1,6 @@
 # Domain for update_engine daemon.
 type update_engine, domain, update_engine_common;
-type update_engine_exec, exec_type, file_type;
+type update_engine_exec, system_file_type, exec_type, file_type;
 
 net_domain(update_engine);
 
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 5d20eca8225ea9e5e52395deaffb8d0ccfdd3ffe..da2eaf839bc5b07119d6c4458be56e5d9effb5f4 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -1,6 +1,6 @@
 # update_verifier
 type update_verifier, domain;
-type update_verifier_exec, exec_type, file_type;
+type update_verifier_exec, system_file_type, exec_type, file_type;
 
 # Allow update_verifier to reach block devices in /dev/block.
 allow update_verifier block_device:dir search;
diff --git a/public/usbd.te b/public/usbd.te
index 6dd1334139046ae6896ea279ead9dcf926d57efb..991e7be5fcefbfda3e7bde9d19b827477c99cac2 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,5 +1,5 @@
 type usbd, domain;
-type usbd_exec, exec_type, file_type;
+type usbd_exec, system_file_type, exec_type, file_type;
 
 # Start/stop adbd via ctl.start adbd
 set_prop(usbd, ctl_adbd_prop)
diff --git a/public/vdc.te b/public/vdc.te
index 424bdea02a19b85989b6bfe0af18b84768e877d0..b59dcf6826b550d04e92a56b3a433b6da585c5a3 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -6,7 +6,7 @@
 # collecting bug reports.
 
 type vdc, domain;
-type vdc_exec, exec_type, file_type;
+type vdc_exec, system_file_type, exec_type, file_type;
 
 # vdc can be invoked with logwrapper, so let it write to pty
 allow vdc devpts:chr_file rw_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index e28ce1cd5d5b48b65ffd45f1d520d1632212bb39..dfd4d8fa8b1909ca556b951fc99972e2d6892176 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -41,7 +41,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
-  -system_file
+  -system_file_type
   -mnt_product_file
   -unlabeled
   -vendor_file_type
@@ -53,7 +53,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -runtime_event_log_tags_file
-  -system_file
+  -system_file_type
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -63,7 +63,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
-  -system_file
+  -system_file_type
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -73,7 +73,7 @@ allow vendor_init {
   file_type
   -core_data_file_type
   -exec_type
-  -system_file
+  -system_file_type
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
@@ -84,7 +84,7 @@ allow vendor_init {
   -core_data_file_type
   -exec_type
   -mnt_product_file
-  -system_file
+  -system_file_type
   -vendor_file_type
   -vold_metadata_file
 }:dir_file_class_set relabelto;
@@ -175,6 +175,9 @@ not_compatible_property(`
     })
 ')
 
+# Get file context
+allow vendor_init file_contexts_file:file r_file_perms;
+
 set_prop(vendor_init, bluetooth_a2dp_offload_prop)
 set_prop(vendor_init, debug_prop)
 set_prop(vendor_init, exported_audio_prop)
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index c2800e3efecb9c580863aa8d59fcd68745ae5a52..49c87044c42f24f4f681df42256fb43a2e0ac367 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -1,5 +1,5 @@
 type virtual_touchpad, domain;
-type virtual_touchpad_exec, exec_type, file_type;
+type virtual_touchpad_exec, system_file_type, exec_type, file_type;
 
 binder_use(virtual_touchpad)
 binder_service(virtual_touchpad)
diff --git a/public/vold.te b/public/vold.te
index 73d3b6d6be09f5422d512813e046119fb819c93c..13c63379b889a467d72ce7305ae91d923cc214d9 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -1,6 +1,6 @@
 # volume manager
 type vold, domain;
-type vold_exec, exec_type, file_type;
+type vold_exec, exec_type, file_type, system_file_type;
 
 # Read already opened /cache files.
 allow vold cache_file:dir r_dir_perms;
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
index 6405d2dcba14670f5e1af0a4f84ef83c3cd01352..3087fa861bbe04b61d93424a82adeaa40b25ffa7 100644
--- a/public/vold_prepare_subdirs.te
+++ b/public/vold_prepare_subdirs.te
@@ -1,6 +1,6 @@
 # SELinux directory creation and labelling for vold-managed directories
 
 type vold_prepare_subdirs, domain;
-type vold_prepare_subdirs_exec, exec_type, file_type;
+type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
 
 typeattribute vold_prepare_subdirs coredomain;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index 8e3cb51339b7def6460b9d6f937a210238695833..c14688703c4ec42723cc186f1b5465f4a0b2e0f7 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -1,5 +1,5 @@
 type vr_hwc, domain;
-type vr_hwc_exec, exec_type, file_type;
+type vr_hwc_exec, system_file_type, exec_type, file_type;
 
 # Get buffer metadata.
 hal_client_domain(vr_hwc, hal_graphics_allocator)
diff --git a/public/watchdogd.te b/public/watchdogd.te
index d2718d83355c0e786544c9baa1ec945ab16b7348..72e3685646bfa523ac4b2c4ef801c6142180158b 100644
--- a/public/watchdogd.te
+++ b/public/watchdogd.te
@@ -1,6 +1,6 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
-type watchdogd_exec, exec_type, file_type;
+type watchdogd_exec, system_file_type, exec_type, file_type;
 
 allow watchdogd watchdog_device:chr_file rw_file_perms;
 allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index c62a8d72cc6b608a209dc82d7160cd06c8235a81..656abad06e1a87aa37f276d65aee92de587e9790 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -1,6 +1,6 @@
 # wificond
 type wificond, domain;
-type wificond_exec, exec_type, file_type;
+type wificond_exec, system_file_type, exec_type, file_type;
 
 binder_use(wificond)
 binder_call(wificond, system_server)
diff --git a/public/wpantund.te b/public/wpantund.te
index b3172365101a72c60e8206932db3e1144fd077ff..8ddd6935d6300dbfa909b6b6a8b43d4c1a55a89d 100644
--- a/public/wpantund.te
+++ b/public/wpantund.te
@@ -1,5 +1,5 @@
 type wpantund, domain;
-type wpantund_exec, exec_type, file_type;
+type wpantund_exec, system_file_type, exec_type, file_type;
 
 hal_client_domain(wpantund, hal_lowpan)
 net_domain(wpantund)
diff --git a/public/zygote.te b/public/zygote.te
index 83c42efb0ea9b0d1b7c4f5302433bfc639dde204..85c358004de6dfa9aa2f28515c1357dcddd26bb3 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -1,3 +1,3 @@
 # zygote
 type zygote, domain;
-type zygote_exec, exec_type, file_type;
+type zygote_exec, system_file_type, exec_type, file_type;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 6f6914759880ad82c3f68c51340aec83478b677c..70b036fab7ddba4d05265b5e475815157e301813 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -11,6 +11,9 @@ import sys
 def TestDataTypeViolations(pol):
     return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
 
+# def TestSystemTypeViolations(pol):
+#     return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
+
 def TestProcTypeViolations(pol):
     return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
 
@@ -55,6 +58,7 @@ Tests = [
     "TestDataTypeViolators",
     "TestProcTypeViolations",
     "TestSysfsTypeViolations",
+    # "TestSystemTypeViolators",
     "TestDebugfsTypeViolations",
     "TestVendorTypeViolations",
     "TestCoreDataTypeViolations",
@@ -103,6 +107,8 @@ if __name__ == '__main__':
         results += TestProcTypeViolations(pol)
     if options.test is None or "TestSysfsTypeViolations" in options.test:
         results += TestSysfsTypeViolations(pol)
+    # if options.test is None or "TestSystemTypeViolations" in options.test:
+    #     results += TestSystemTypeViolations(pol)
     if options.test is None or "TestDebugfsTypeViolations" in options.test:
         results += TestDebugfsTypeViolations(pol)
     if options.test is None or "TestVendorTypeViolations" in options.test: