diff --git a/private/file_contexts b/private/file_contexts
index c17a39da5d69ad331e912be476f04c35ecf15f12..678a705c82e91f4c3bfdbfb93c992f4b583140cc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -78,6 +78,7 @@
 /dev/cam		u:object_r:camera_device:s0
 /dev/console		u:object_r:console_device:s0
 /dev/cpuctl(/.*)?	u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)?        u:object_r:memcg_device:s0
 /dev/device-mapper	u:object_r:dm_device:s0
 /dev/eac		u:object_r:audio_device:s0
 /dev/event-log-tags     u:object_r:runtime_event_log_tags_file:s0
diff --git a/public/device.te b/public/device.te
index 4a3bec91f0bd14a6fd2bce9b5c2d05ca06d23833..15799b89a67905f96cf11e1f6ec21f4ab6035828 100644
--- a/public/device.te
+++ b/public/device.te
@@ -21,6 +21,7 @@ type rtc_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
+type memcg_device, dev_type;
 type fscklogs, dev_type;
 type full_device, dev_type;
 # GPU (used by most UI apps)
diff --git a/public/domain.te b/public/domain.te
index ea63d1c65f0ce7895650c2fc537680ec9a5ac492..6b59d6a52681e9898987a6fa459f6d7257957d28 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -226,6 +226,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
 ### neverallow rules
 ###
 
+# Don't allow others to access memcg.
+neverallow { domain -init -lmkd -shell -ueventd } memcg_device:dir *;
+neverallow { domain -init -lmkd -ueventd } memcg_device:file *;
+
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
diff --git a/public/init.te b/public/init.te
index b21c4d09e1354b2cb88c1844b52ab743c0d03f1f..cf9488f87fec769cd37f0fb926b76bd653141cbe 100644
--- a/public/init.te
+++ b/public/init.te
@@ -77,6 +77,7 @@ allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
 r_dir_file(init, cgroup)
 allow init cpuctl_device:dir { create mounton };
+allow init memcg_device:dir { create mounton };
 
 # /config
 allow init configfs:dir mounton;
diff --git a/public/lmkd.te b/public/lmkd.te
index f4e6c2d57091273592e66cabbcfa5f51bac20b32..c2dcadd5ff83cbecccad5030959ee9b67de8e31d 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -21,6 +21,9 @@ allow lmkd system_server:file write;
 r_dir_file(lmkd, sysfs_type)
 allow lmkd sysfs_lowmemorykiller:file w_file_perms;
 
+allow lmkd memcg_device:dir search;
+allow lmkd memcg_device:file rw_file_perms;
+
 # Send kill signals
 allow lmkd appdomain:process sigkill;
 
@@ -32,6 +35,8 @@ allow lmkd self:capability sys_nice;
 
 allow lmkd proc_zoneinfo:file r_file_perms;
 
+r_dir_file(lmkd, cgroup)
+
 ### neverallow rules
 
 # never honor LD_PRELOAD