diff --git a/app.te b/app.te
index c4b33314ac19427641cc228f13407ff9ab0c1c7c..a0672c78f9bc7672d7a24396a26f63cfcaa0d622 100644
--- a/app.te
+++ b/app.te
@@ -187,6 +187,11 @@ selinux_check_context(appdomain)
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;
 
+# logd access
+read_logd(appdomain)
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
 ###
 ### Neverallow rules
 ###
diff --git a/debuggerd.te b/debuggerd.te
index 0443aef189f4f1aff171f829b53584e7333090fe..738dac2b5ed4816af7522d10f60e51a4dee39b09 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -23,3 +23,6 @@ allow debuggerd system_data_file:file open;
 
 # Connect to system_server via /data/system/ndebugsocket.
 unix_socket_connect(debuggerd, system_ndebug, system_server)
+
+# logd access
+read_logd(debuggerd)
diff --git a/domain.te b/domain.te
index 6f0ee1331e45ecd5373737175b2870930edd242f..8c66e1bce923b242d25ecb95763f2aba2ea585e3 100644
--- a/domain.te
+++ b/domain.te
@@ -72,6 +72,9 @@ allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain properties_device:file r_file_perms;
 
+# logd access
+write_logd(domain)
+
 # Filesystem accesses.
 allow domain fs_type:filesystem getattr;
 allow domain fs_type:dir getattr;
diff --git a/dumpstate.te b/dumpstate.te
index 5977422814dd0baf7746b16abc7b9351538f21c1..8ecb6cc247ac3b2a73dd83fc62aa7ef7a5979b16 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -86,3 +86,7 @@ allow dumpstate dumpstate_tmpfs:file execute;
 allow dumpstate self:process execmem;
 # For art.
 allow dumpstate dalvikcache_data_file:file execute;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
diff --git a/file.te b/file.te
index d6a4d56910e9d47f138dc9b7eb2918d1821fa83d..ef6c55c2262f301e3a4145efe6ce7bba020d186e 100644
--- a/file.te
+++ b/file.te
@@ -107,6 +107,10 @@ type gps_socket, file_type;
 type installd_socket, file_type;
 type keystore_socket, file_type;
 type lmkd_socket, file_type;
+type logd_debug, file_type;
+type logd_socket, file_type;
+type logdr_socket, file_type;
+type logdw_socket, file_type;
 type mdns_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
diff --git a/file_contexts b/file_contexts
index f593f6db0cbd2e63e3632317f9cccc93ae4ae410..06b23a62923ec1907e5af75a1a8149d6bfd97af8 100644
--- a/file_contexts
+++ b/file_contexts
@@ -81,6 +81,10 @@
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/keystore	u:object_r:keystore_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0
+/dev/logd_debug		u:object_r:logd_debug:s0
+/dev/socket/logd	u:object_r:logd_socket:s0
+/dev/socket/logdr	u:object_r:logdr_socket:s0
+/dev/socket/logdw	u:object_r:logdw_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
@@ -144,6 +148,7 @@
 /system/bin/clatd	u:object_r:clatd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd        u:object_r:logd_exec:s0
 #############################
 # Vendor files
 #
diff --git a/logd.te b/logd.te
new file mode 100644
index 0000000000000000000000000000000000000000..a1e3a53ec185fa06d9fbbc2eb882311512a3e143
--- /dev/null
+++ b/logd.te
@@ -0,0 +1,34 @@
+# android user-space log manager
+type logd, domain;
+type logd_exec, exec_type, file_type;
+
+init_daemon_domain(logd)
+allow logd self:unix_stream_socket *;
+
+allow logd self:capability { setuid setgid sys_nice };
+
+r_dir_file(logd, domain)
+
+userdebug_or_eng(`
+  # Debug output
+  type_transition logd device:file logd_debug;
+  allow logd device:dir rw_dir_perms;
+  allow logd logd_debug:file create_file_perms;
+')
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/system_server.te b/system_server.te
index 19719124fe8c5b77fe18eb92339ce63b4e97911a..ef040d5d5ce52f169112c75074773ff915a9a2e0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -245,3 +245,7 @@ selinux_manage_policy(system_server)
 # See discussion of Unlabeled files in domain.te for more information.
 # This rule is for dalvikcache mmap/mprotect PROT_EXEC.
 allow system_server unlabeled:file execute;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
diff --git a/te_macros b/te_macros
index 03c78f31a3a9b2b4cbed854cb8e70d7dac9d2c0c..404222ad7609b2e72639b6bfc45c47519b13dd80 100644
--- a/te_macros
+++ b/te_macros
@@ -273,15 +273,6 @@ allow $1 security_file:lnk_file { create rename unlink };
 allow $1 security_prop:property_service set;
 ')
 
-#####################################
-# access_logcat(domain)
-# Ability to read from logcat logs
-# and execute the logcat command
-define(`access_logcat', `
-allow $1 log_device:chr_file read;
-allow $1 system_file:file x_file_perms;
-')
-
 #####################################
 # access_kmsg(domain)
 # Ability to read from kernel logs
@@ -338,3 +329,35 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
 # has ceased.
 #
 define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+userdebug_or_eng(`
+  # Debug output
+  type_transition $1 device:file logd_debug;
+  allow $1 device:dir rw_dir_perms;
+  allow $1 logd_debug:file create_file_perms;
+')
+unix_socket_send($1, logdw, logd)
+')
+
+#####################################
+# read_logd(domain)
+# Ability to read from android
+# log daemon via sockets
+define(`read_logd', `
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')