diff --git a/app.te b/app.te
index 1afa4b5c0a6d566a2ac8212c88dba980bc9e8d12..2ac243a61f1d802699e0593678933deb04815ae0 100644
--- a/app.te
+++ b/app.te
@@ -10,6 +10,9 @@
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
 
+# allow access to the interpreter
+allow appdomain libart_file:file { execute read open getattr };
+
 allow appdomain ashmem_device:chr_file execute;
 
 # Receive and use open file descriptors inherited from zygote.
diff --git a/dex2oat.te b/dex2oat.te
index 8c80a32a87a2872cf99021038e5eaca602aef1be..47aa2fba65091cca12ff1001f5cff7a03a325f8e 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -6,6 +6,9 @@ r_dir_file(dex2oat, apk_data_file)
 
 allow dex2oat tmpfs:file { read getattr };
 
+# allow access to the interpreter
+allow dex2oat libart_file:file { execute read open getattr };
+
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
diff --git a/domain.te b/domain.te
index 98d08986dbca93d6905747a392f2cdc5e9727629..fcd33afeaa3ad8911b8aee69f8961a68830efe0d 100644
--- a/domain.te
+++ b/domain.te
@@ -101,6 +101,17 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;
 
+# Initially grant all domains access to libart.
+# TODO move to a whitelist. b/29795519
+allow domain libart_file:file { execute read open getattr };
+auditallow {
+  domain
+  -appdomain
+  -dex2oat
+  -recovery
+  -zygote
+} libart_file:file { execute read open getattr };
+
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
 
@@ -294,7 +305,7 @@ neverallow {
     userdebug_or_eng(`-su')
     -system_server
     -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
     domain
     -appdomain # for oemfs
diff --git a/file.te b/file.te
index f80e46f9d2f6ec47b793d46f1e99044681f6d084..7c6c5a84f137906e5091afbd59aeb6f76535965f 100644
--- a/file.te
+++ b/file.te
@@ -68,6 +68,8 @@ type app_fusefs, fs_type, contextmount_type;
 type unlabeled, file_type;
 # Default type for anything under /system.
 type system_file, file_type;
+# Type for /system/*/libart*
+type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
diff --git a/file_contexts b/file_contexts
index eeda6c73e52d6ceb7c6bb5e10edb6ffa08cc1523..33b628a47548e95de37b491f5fef2f05a223b8c6 100644
--- a/file_contexts
+++ b/file_contexts
@@ -216,7 +216,8 @@
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
-
+/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
+/system/lib(64)?/libart.*        u:object_r:libart_file:s0
 
 #############################
 # Vendor files
diff --git a/recovery.te b/recovery.te
index 209a276ea9db855a21c1f92a3b6152bde5f9deee..eeb8bf9c9e5f583f750c59cc5df0812312d88053 100644
--- a/recovery.te
+++ b/recovery.te
@@ -28,7 +28,7 @@ recovery_only(`
 
   # Create and relabel files and directories under /system.
   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
   # We may be asked to set an SELinux label for a type not known to the
diff --git a/zygote.te b/zygote.te
index 9ce5a4e9d45deed85c2f33da975db0ba340d6bcb..9f210ed3a347df0f1b307ac3afe1e1ed2d5abd54 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
+allow zygote libart_file:file { execute read open getattr };
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?