diff --git a/Android.mk b/Android.mk
index 6a4b8a427b46a6f323e1eb2b8e1cf04bbca0b91a..7bfe1a7ddf09001c224d228206dbeeae46ce26bb 100644
--- a/Android.mk
+++ b/Android.mk
@@ -26,13 +26,49 @@ ifdef BOARD_SEPOLICY_M4DEFS
 LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS))
 endif
 
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS and the LOCAL_PATH.
-# $(1): the set of policy name paths to build
-build_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+# sepolicy is now divided into multiple portions:
+# public - policy exported on which non-platform policy developers may write
+#   additional policy.  types and attributes are versioned and included in
+#   delivered non-platform policy, which is to be combined with platform policy.
+# private - platform-only policy required for platform functionality but which
+#  is not exported to vendor policy developers and as such may not be assumed
+#  to exist.
+# mapping - TODO.  This contains policy statements which map the attributes
+#  exposed in the public policy of previous versions to the concrete types used
+#  in this policy to ensure that policy targeting attributes from public
+#  policy from an older platform version continues to work.
+
+# TODO - build process for device:
+# 1) convert policies to CIL:
+#    - private + public platform policy to CIL
+#    - mapping file to CIL (should already be in CIL form)
+#    - non-platform public policy to CIL
+#    - non-platform public + private policy to CIL
+# 2) attributize policy
+#    - TODO: do this for platform policy?
+#    - run script which takes non-platform public and non-platform combined
+#      private + public policy and produces attributized and versioned
+#      non-platform policy
+# 3) combine policy files
+#    - combine mapping, platform and non-platform policy.
+#    - compile output binary policy file
+
+PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
+PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
+
+###########################################################
+# Compute policy files to be used in policy build.
+# $(1): files to include
+# $(2): directories in which to find files
+###########################################################
+
+define build_policy
+$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
+endef
 
 # Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
 # $(1): the set of policy name paths to build
-build_device_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file)))))
+build_device_policy = $(call build_policy, $(1), $(BOARD_SEPOLICY_DIRS))
 
 # Add a file containing only a newline in-between each policy configuration
 # 'contexts' file. This will allow OEM policy configuration files without a
@@ -92,11 +128,28 @@ endif
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
+platform_policy.conf := $(intermediates)/plat_policy.conf
+$(platform_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(platform_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(platform_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(platform_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+	@mkdir -p $(dir $@)
+	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
+		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+		-s $^ > $@
+	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+# TODO: add steps for non-platform public and combined files with checkpolicy
+# support. b/31932523
+
 sepolicy_policy.conf := $(intermediates)/policy.conf
 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files))
+$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
 	@mkdir -p $(dir $@)
 	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
 		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -135,7 +188,8 @@ sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
 $(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy_recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files))
+$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
 	@mkdir -p $(dir $@)
 	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
 		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
@@ -168,12 +222,10 @@ LOCAL_MODULE_TAGS := tests
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-exp_sepolicy_build_files :=\
-  $(foreach file, $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)), $(sort $(wildcard $(file))))
-
 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
+$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
 	mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 		-D target_build_variant=user \
@@ -223,9 +275,9 @@ include $(BUILD_SYSTEM)/base_rules.mk
 #  Note: That a newline file is placed between each file_context file found to
 #        ensure a proper build when an fc file is missing an ending newline.
 
-local_fc_files := $(LOCAL_PATH)/file_contexts
+local_fc_files := $(PLAT_PRIVATE_POLICY)/file_contexts
 ifneq ($(filter address,$(SANITIZE_TARGET)),)
-  local_fc_files := $(local_fc_files) $(LOCAL_PATH)/file_contexts_asan
+  local_fc_files := $(local_fc_files) $(PLAT_PRIVATE_POLICY)/file_contexts_asan
 endif
 local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl))
 
@@ -281,7 +333,7 @@ LOCAL_MODULE_TAGS := tests
 include $(BUILD_SYSTEM)/base_rules.mk
 
 general_file_contexts.tmp := $(intermediates)/general_file_contexts.tmp
-$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts)
+$(general_file_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, file_contexts)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $< > $@
 
@@ -302,7 +354,7 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_sc_files := $(call build_policy, seapp_contexts)
+all_sc_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
 
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files)
@@ -321,7 +373,7 @@ LOCAL_MODULE_TAGS := tests
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_sc_files := $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+all_sc_files := $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
 
 $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy)
 $(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files)
@@ -339,7 +391,7 @@ LOCAL_MODULE_TAGS := tests
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-$(LOCAL_BUILT_MODULE): $(addprefix $(LOCAL_PATH)/, seapp_contexts)
+$(LOCAL_BUILT_MODULE): $(addprefix $(PLAT_PRIVATE_POLICY)/, seapp_contexts)
 	@mkdir -p $(dir $@)
 	- $(hide) grep -ie '^neverallow' $< > $@
 
@@ -354,7 +406,7 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_pc_files := $(call build_policy, property_contexts)
+all_pc_files := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
 all_pcfiles_with_nl := $(call add_nl, $(all_pc_files), $(built_nl))
 
 property_contexts.tmp := $(intermediates)/property_contexts.tmp
@@ -386,7 +438,7 @@ LOCAL_MODULE_TAGS := tests
 include $(BUILD_SYSTEM)/base_rules.mk
 
 general_property_contexts.tmp := $(intermediates)/general_property_contexts.tmp
-$(general_property_contexts.tmp): $(addprefix $(LOCAL_PATH)/, property_contexts)
+$(general_property_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, property_contexts)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $< > $@
 
@@ -408,7 +460,7 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-all_svc_files := $(call build_policy, service_contexts)
+all_svc_files := $(call build_policy, service_contexts, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
 all_svcfiles_with_nl := $(call add_nl, $(all_svc_files), $(built_nl))
 
 service_contexts.tmp := $(intermediates)/service_contexts.tmp
@@ -439,7 +491,7 @@ LOCAL_MODULE_TAGS := tests
 include $(BUILD_SYSTEM)/base_rules.mk
 
 general_service_contexts.tmp := $(intermediates)/general_service_contexts.tmp
-$(general_service_contexts.tmp): $(addprefix $(LOCAL_PATH)/, service_contexts)
+$(general_service_contexts.tmp): $(addprefix $(PLAT_PRIVATE_POLICY)/, service_contexts)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $< > $@
 
@@ -464,11 +516,11 @@ include $(BUILD_SYSTEM)/base_rules.mk
 # Build keys.conf
 mac_perms_keys.tmp := $(intermediates)/keys.tmp
 $(mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(mac_perms_keys.tmp): $(call build_policy, keys.conf)
+$(mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
 	@mkdir -p $(dir $@)
 	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
 
-all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE))
+all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE), $(PLAT_PRIVATE_POLICY) $(BOARD_SEPOLICY_DIRS))
 
 # Should be synced with keys.conf.
 all_keys := platform media shared testkey
diff --git a/access_vectors b/private/access_vectors
similarity index 100%
rename from access_vectors
rename to private/access_vectors
diff --git a/private/adbd.te b/private/adbd.te
new file mode 100644
index 0000000000000000000000000000000000000000..cabaf66d536230fcb37132fe566b04516d73e40a
--- /dev/null
+++ b/private/adbd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(adbd, shell_exec, shell)
diff --git a/private/android_hardware_nfc_1_0_service.te b/private/android_hardware_nfc_1_0_service.te
new file mode 100644
index 0000000000000000000000000000000000000000..43368f8ad9d80bf31114da3a45802b07593ae6b6
--- /dev/null
+++ b/private/android_hardware_nfc_1_0_service.te
@@ -0,0 +1,2 @@
+# may be started by init
+init_daemon_domain(android_hardware_nfc_1_0_service)
diff --git a/atrace.te b/private/atrace.te
similarity index 100%
rename from atrace.te
rename to private/atrace.te
diff --git a/private/audioserver.te b/private/audioserver.te
new file mode 100644
index 0000000000000000000000000000000000000000..64178583a63477ab3a71ee2307b3df8dd5fae701
--- /dev/null
+++ b/private/audioserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(audioserver)
diff --git a/private/autoplay_app.te b/private/autoplay_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..2e0ec0e4d791dd0022c70c9501c528594db06fc5
--- /dev/null
+++ b/private/autoplay_app.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Define and allow access to our own type for ashmem regions.
+# Label ashmem objects with our own unique type.
+tmpfs_domain(autoplay_app)
diff --git a/private/bluetooth.te b/private/bluetooth.te
new file mode 100644
index 0000000000000000000000000000000000000000..0abaee66b3d35dc0d00aae54f401cd26078fb714
--- /dev/null
+++ b/private/bluetooth.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
diff --git a/private/bootanim.te b/private/bootanim.te
new file mode 100644
index 0000000000000000000000000000000000000000..94fbc1f4f67100c71b8ca2c5feb418d30b78c434
--- /dev/null
+++ b/private/bootanim.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
new file mode 100644
index 0000000000000000000000000000000000000000..caa82fd62c17a7ca9346bec6871c15f3d1335f52
--- /dev/null
+++ b/private/bootstat.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(bootstat)
diff --git a/private/cameraserver.te b/private/cameraserver.te
new file mode 100644
index 0000000000000000000000000000000000000000..b34d74608c49c3141e33f087e464308a122b9197
--- /dev/null
+++ b/private/cameraserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(cameraserver)
diff --git a/private/cppreopts.te b/private/cppreopts.te
new file mode 100644
index 0000000000000000000000000000000000000000..02c13b3a08b60fa0d8293162b162b0026e45ab23
--- /dev/null
+++ b/private/cppreopts.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/private/debuggerd.te b/private/debuggerd.te
new file mode 100644
index 0000000000000000000000000000000000000000..bd835af55c0e42a7e998035a90b952ce7c8923d8
--- /dev/null
+++ b/private/debuggerd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(debuggerd)
diff --git a/private/dhcp.te b/private/dhcp.te
new file mode 100644
index 0000000000000000000000000000000000000000..67451896eb89c1510cfb6f503f1195d6ed62519a
--- /dev/null
+++ b/private/dhcp.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/drmserver.te b/private/drmserver.te
new file mode 100644
index 0000000000000000000000000000000000000000..340c454f859c16272ae2fb494f77505fcc8ffae1
--- /dev/null
+++ b/private/drmserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(drmserver)
diff --git a/private/dumpstate.te b/private/dumpstate.te
new file mode 100644
index 0000000000000000000000000000000000000000..ad646f4bede38f5b64107965981a06ee7b94fa85
--- /dev/null
+++ b/private/dumpstate.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/private/file_contexts
similarity index 100%
rename from file_contexts
rename to private/file_contexts
diff --git a/file_contexts_asan b/private/file_contexts_asan
similarity index 100%
rename from file_contexts_asan
rename to private/file_contexts_asan
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
new file mode 100644
index 0000000000000000000000000000000000000000..a733cabd9d066dd2a28bb5f3bb5c0f3d7b0bc15d
--- /dev/null
+++ b/private/fingerprintd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(fingerprintd)
diff --git a/fs_use b/private/fs_use
similarity index 100%
rename from fs_use
rename to private/fs_use
diff --git a/private/fsck.te b/private/fsck.te
new file mode 100644
index 0000000000000000000000000000000000000000..f3f4c52d2b6a1e05b74d6428ac322d65fa3d2df2
--- /dev/null
+++ b/private/fsck.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(fsck)
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
new file mode 100644
index 0000000000000000000000000000000000000000..d050c2edfd71a9ba87ff915073317cd1dff1d498
--- /dev/null
+++ b/private/gatekeeperd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(gatekeeperd)
diff --git a/genfs_contexts b/private/genfs_contexts
similarity index 100%
rename from genfs_contexts
rename to private/genfs_contexts
diff --git a/private/hci_attach.te b/private/hci_attach.te
new file mode 100644
index 0000000000000000000000000000000000000000..c8ba3f6b064dc500af65827997d8e1c11f30569f
--- /dev/null
+++ b/private/hci_attach.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hci_attach)
\ No newline at end of file
diff --git a/private/hostapd.te b/private/hostapd.te
new file mode 100644
index 0000000000000000000000000000000000000000..d895f2916499133ab3fdc4231f1ae0dc5857e8ba
--- /dev/null
+++ b/private/hostapd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hostapd)
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
new file mode 100644
index 0000000000000000000000000000000000000000..e15d13db0bc0740c057b87af6fbbd4715a3af161
--- /dev/null
+++ b/private/hwservicemanager.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hwservicemanager)
diff --git a/private/init.te b/private/init.te
new file mode 100644
index 0000000000000000000000000000000000000000..c2354548b093d446c64dd53cc36219d4a6b48d5c
--- /dev/null
+++ b/private/init.te
@@ -0,0 +1,18 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, adbd)
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+recovery_only(`
+  domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+  domain_auto_trans(init, logcat_exec, logd)
+')
diff --git a/initial_sid_contexts b/private/initial_sid_contexts
similarity index 100%
rename from initial_sid_contexts
rename to private/initial_sid_contexts
diff --git a/initial_sids b/private/initial_sids
similarity index 100%
rename from initial_sids
rename to private/initial_sids
diff --git a/private/inputflinger.te b/private/inputflinger.te
new file mode 100644
index 0000000000000000000000000000000000000000..0d3782f40c0feccd400aa560c245e722ccadcb88
--- /dev/null
+++ b/private/inputflinger.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(inputflinger)
\ No newline at end of file
diff --git a/private/install_recovery.te b/private/install_recovery.te
new file mode 100644
index 0000000000000000000000000000000000000000..b9b402b568f25428b518e3c51ba1ade2bf28bc26
--- /dev/null
+++ b/private/install_recovery.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
new file mode 100644
index 0000000000000000000000000000000000000000..50b3821b890e84d7967d03584b0661096ccf1cbd
--- /dev/null
+++ b/private/installd.te
@@ -0,0 +1,12 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(installd)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
diff --git a/private/kernel.te b/private/kernel.te
new file mode 100644
index 0000000000000000000000000000000000000000..1c2223e57171d496c70ae61f40df9f4be713be13
--- /dev/null
+++ b/private/kernel.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(kernel, init_exec, init)
diff --git a/keys.conf b/private/keys.conf
similarity index 100%
rename from keys.conf
rename to private/keys.conf
diff --git a/private/keystore.te b/private/keystore.te
new file mode 100644
index 0000000000000000000000000000000000000000..70ad3b24dfef1e0d686f35d046a2b8c6c6fe31bb
--- /dev/null
+++ b/private/keystore.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(keystore)
diff --git a/private/lmkd.te b/private/lmkd.te
new file mode 100644
index 0000000000000000000000000000000000000000..a5d0d77568cde7061dde12f36dede567f3aeee79
--- /dev/null
+++ b/private/lmkd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
new file mode 100644
index 0000000000000000000000000000000000000000..52600ac511c9dd4e124131354aa745590ccc251d
--- /dev/null
+++ b/private/logd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(logd)
diff --git a/mac_permissions.xml b/private/mac_permissions.xml
similarity index 100%
rename from mac_permissions.xml
rename to private/mac_permissions.xml
diff --git a/private/mdnsd.te b/private/mdnsd.te
new file mode 100644
index 0000000000000000000000000000000000000000..54659d1d1d1b94bd8edae3dc82f2f7101ca439a7
--- /dev/null
+++ b/private/mdnsd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mdnsd)
diff --git a/private/mediacodec.te b/private/mediacodec.te
new file mode 100644
index 0000000000000000000000000000000000000000..7f88433a101fd3d653fb04e98dfec647eb6dce96
--- /dev/null
+++ b/private/mediacodec.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
new file mode 100644
index 0000000000000000000000000000000000000000..5a8e7446cdc5142fbbc773cb33b4c6b06833d8d7
--- /dev/null
+++ b/private/mediadrmserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediadrmserver)
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
new file mode 100644
index 0000000000000000000000000000000000000000..8596c1440a10415fa76c02c00e4d9a0047a7f498
--- /dev/null
+++ b/private/mediaextractor.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediaextractor)
diff --git a/private/mediaserver.te b/private/mediaserver.te
new file mode 100644
index 0000000000000000000000000000000000000000..74b11b07b7021c5e84d27494cd5caa0959078074
--- /dev/null
+++ b/private/mediaserver.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mediaserver)
diff --git a/mls b/private/mls
similarity index 100%
rename from mls
rename to private/mls
diff --git a/mls_macros b/private/mls_macros
similarity index 100%
rename from mls_macros
rename to private/mls_macros
diff --git a/private/mtp.te b/private/mtp.te
new file mode 100644
index 0000000000000000000000000000000000000000..69e1353b0f7085730ec94b5fb37b9cf1e5c936a7
--- /dev/null
+++ b/private/mtp.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
new file mode 100644
index 0000000000000000000000000000000000000000..cc87dcbb45ce4218c6cc743a7d7223bdaf14d5fc
--- /dev/null
+++ b/private/netd.te
@@ -0,0 +1,9 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
new file mode 100644
index 0000000000000000000000000000000000000000..8e54a790fc1dca67306535f6f766404b340673c3
--- /dev/null
+++ b/private/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
new file mode 100644
index 0000000000000000000000000000000000000000..519c34274128ef5c68b18ccf3b5f233f9b8fd106
--- /dev/null
+++ b/private/otapreopt_slot.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
diff --git a/perfprofd.te b/private/perfprofd.te
similarity index 100%
rename from perfprofd.te
rename to private/perfprofd.te
diff --git a/policy_capabilities b/private/policy_capabilities
similarity index 100%
rename from policy_capabilities
rename to private/policy_capabilities
diff --git a/port_contexts b/private/port_contexts
similarity index 100%
rename from port_contexts
rename to private/port_contexts
diff --git a/private/postinstall.te b/private/postinstall.te
new file mode 100644
index 0000000000000000000000000000000000000000..47bf320f3b7d9437a53da6a63b2581779e03d776
--- /dev/null
+++ b/private/postinstall.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
new file mode 100644
index 0000000000000000000000000000000000000000..7596465aa8a1d747e278e723df518de60acaed2f
--- /dev/null
+++ b/private/postinstall_dexopt.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
new file mode 100644
index 0000000000000000000000000000000000000000..befc20e5e012605601cc10b041727bcdd42ad384
--- /dev/null
+++ b/private/ppp.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/property_contexts b/private/property_contexts
similarity index 100%
rename from property_contexts
rename to private/property_contexts
diff --git a/private/racoon.te b/private/racoon.te
new file mode 100644
index 0000000000000000000000000000000000000000..3eeb8151a3c87d7ccc48290efa038d817eccad0d
--- /dev/null
+++ b/private/racoon.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(racoon)
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
new file mode 100644
index 0000000000000000000000000000000000000000..3b74629349897e5ef577f98ca221ec6f803bbf64
--- /dev/null
+++ b/private/recovery_persist.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(recovery_persist)
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
new file mode 100644
index 0000000000000000000000000000000000000000..8204465d28cebf22c94bfc5073fcd432c2d8e060
--- /dev/null
+++ b/private/recovery_refresh.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(recovery_refresh)
diff --git a/private/rild.te b/private/rild.te
new file mode 100644
index 0000000000000000000000000000000000000000..ac6a05d3616ed479d28b2c713f90e2e6771c7506
--- /dev/null
+++ b/private/rild.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(rild)
diff --git a/roles b/private/roles
similarity index 100%
rename from roles
rename to private/roles
diff --git a/private/runas.te b/private/runas.te
new file mode 100644
index 0000000000000000000000000000000000000000..d791501b346372cf3d8941939011dd221b1949b8
--- /dev/null
+++ b/private/runas.te
@@ -0,0 +1,4 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
new file mode 100644
index 0000000000000000000000000000000000000000..55915fed71432a6282c837b5c55e583ce9daaf3b
--- /dev/null
+++ b/private/sdcardd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/seapp_contexts b/private/seapp_contexts
similarity index 100%
rename from seapp_contexts
rename to private/seapp_contexts
diff --git a/security_classes b/private/security_classes
similarity index 100%
rename from security_classes
rename to private/security_classes
diff --git a/service_contexts b/private/service_contexts
similarity index 100%
rename from service_contexts
rename to private/service_contexts
diff --git a/private/servicemanager.te b/private/servicemanager.te
new file mode 100644
index 0000000000000000000000000000000000000000..1514b0f3773e8646b6a3957475f441a4f346efa1
--- /dev/null
+++ b/private/servicemanager.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(servicemanager)
diff --git a/su.te b/private/su.te
similarity index 100%
rename from su.te
rename to private/su.te
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
new file mode 100644
index 0000000000000000000000000000000000000000..ae8ab08e4396d8e2ed062b16ae2a0d4f269df433
--- /dev/null
+++ b/private/surfaceflinger.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(surfaceflinger)
diff --git a/private/system_server.te b/private/system_server.te
new file mode 100644
index 0000000000000000000000000000000000000000..bab3d725f630c59dba451ddb14b8234beccd6d78
--- /dev/null
+++ b/private/system_server.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+# Create a socket for connections from debuggerd.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
diff --git a/private/tee.te b/private/tee.te
new file mode 100644
index 0000000000000000000000000000000000000000..17b276fdd28eb30ae8457fcab26251cb521533b1
--- /dev/null
+++ b/private/tee.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(tee)
diff --git a/private/toolbox.te b/private/toolbox.te
new file mode 100644
index 0000000000000000000000000000000000000000..fd43d5ee6cbf414864e8c2e65a66fdb04ad35b29
--- /dev/null
+++ b/private/toolbox.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
new file mode 100644
index 0000000000000000000000000000000000000000..ee67bb2e59ff8efb67bf9fe213a8e52edb5e36c9
--- /dev/null
+++ b/private/tzdatacheck.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
new file mode 100644
index 0000000000000000000000000000000000000000..5034db7f9b49361c01611b9dce93ff9260c8c557
--- /dev/null
+++ b/private/ueventd.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
new file mode 100644
index 0000000000000000000000000000000000000000..e2b919c74bc7c202662cedfdc7f6770032d2273e
--- /dev/null
+++ b/private/uncrypt.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
new file mode 100644
index 0000000000000000000000000000000000000000..01199ebb2b70f22bd1dc78e67a04789b8b790e84
--- /dev/null
+++ b/private/update_engine.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(update_engine);
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
new file mode 100644
index 0000000000000000000000000000000000000000..a7fb584717a67896ed22a205fa55f229846812e7
--- /dev/null
+++ b/private/update_engine_common.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/private/update_verifier.te b/private/update_verifier.te
new file mode 100644
index 0000000000000000000000000000000000000000..c5f110b6cf5ea82158a957aa95880fbfc136cce3
--- /dev/null
+++ b/private/update_verifier.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(update_verifier)
diff --git a/users b/private/users
similarity index 100%
rename from users
rename to private/users
diff --git a/private/vdc.te b/private/vdc.te
new file mode 100644
index 0000000000000000000000000000000000000000..877e9133123bac2fe5d66bc393a4095e16f3c8af
--- /dev/null
+++ b/private/vdc.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(vdc)
diff --git a/private/vold.te b/private/vold.te
new file mode 100644
index 0000000000000000000000000000000000000000..b2495f688342e3aec67aca2418d012635e75bf1d
--- /dev/null
+++ b/private/vold.te
@@ -0,0 +1,19 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/private/wifi_hal_legacy.te b/private/wifi_hal_legacy.te
new file mode 100644
index 0000000000000000000000000000000000000000..cb2c6dab56008f0cf8fc1294e0a0899fe808e7a0
--- /dev/null
+++ b/private/wifi_hal_legacy.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wifi_hal_legacy)
diff --git a/private/wificond.te b/private/wificond.te
new file mode 100644
index 0000000000000000000000000000000000000000..2e89975d0724277ae8927ebc8b82613135905538
--- /dev/null
+++ b/private/wificond.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wificond)
diff --git a/private/wpa.te b/private/wpa.te
new file mode 100644
index 0000000000000000000000000000000000000000..4bf29cfb50d19f37cd22402406864360e76516c3
--- /dev/null
+++ b/private/wpa.te
@@ -0,0 +1,6 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(wpa)
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:dir wpa_socket "sockets";
diff --git a/private/zygote.te b/private/zygote.te
new file mode 100644
index 0000000000000000000000000000000000000000..bab15c7a80caa649312ecbbfe53e97c8df55f574
--- /dev/null
+++ b/private/zygote.te
@@ -0,0 +1,3 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(zygote)
diff --git a/adbd.te b/public/adbd.te
similarity index 98%
rename from adbd.te
rename to public/adbd.te
index 45bed8e590d3a537df6a040b8fd0778434e6b179..450bc1da3ee0d9b7dc284f94066e97e052dd0796 100644
--- a/adbd.te
+++ b/public/adbd.te
@@ -7,8 +7,6 @@ userdebug_or_eng(`
   allow adbd su:process dyntransition;
 ')
 
-domain_auto_trans(adbd, shell_exec, shell)
-
 # Do not sanitize the environment or open fds of the shell. Allow signaling
 # created processes.
 allow adbd shell:process { noatsecure signal };
diff --git a/android_hardware_nfc_1_0_service.te b/public/android_hardware_nfc_1_0_service.te
similarity index 89%
rename from android_hardware_nfc_1_0_service.te
rename to public/android_hardware_nfc_1_0_service.te
index f980da43b63bcbe1838105ebd59e23c5b3216fea..79da53b785bc8e96d610f6c3d0c4bce63436419b 100644
--- a/android_hardware_nfc_1_0_service.te
+++ b/public/android_hardware_nfc_1_0_service.te
@@ -2,9 +2,6 @@
 type android_hardware_nfc_1_0_service, domain;
 type android_hardware_nfc_1_0_service_exec, exec_type, file_type;
 
-# may be started by init
-init_daemon_domain(android_hardware_nfc_1_0_service)
-
 # hwbinder access
 hwbinder_use(android_hardware_nfc_1_0_service)
 
diff --git a/app.te b/public/app.te
similarity index 100%
rename from app.te
rename to public/app.te
diff --git a/attributes b/public/attributes
similarity index 100%
rename from attributes
rename to public/attributes
diff --git a/audioserver.te b/public/audioserver.te
similarity index 98%
rename from audioserver.te
rename to public/audioserver.te
index da12649e303b305b749b5f264490fb38efb89eab..dab4ea54c850556e0ae7c77aa82b101050221afa 100644
--- a/audioserver.te
+++ b/public/audioserver.te
@@ -2,8 +2,6 @@
 type audioserver, domain;
 type audioserver_exec, exec_type, file_type;
 
-init_daemon_domain(audioserver)
-
 r_dir_file(audioserver, sdcard_type)
 
 binder_use(audioserver)
diff --git a/autoplay_app.te b/public/autoplay_app.te
similarity index 96%
rename from autoplay_app.te
rename to public/autoplay_app.te
index f671d5d379a463ea72e3fdd2e9b8cf64bda59af5..5fe1000be0a863e86d6f04c40e8ec894b93f902b 100644
--- a/autoplay_app.te
+++ b/public/autoplay_app.te
@@ -16,9 +16,6 @@ type autoplay_app, domain;
 allow autoplay_app self:process execmem;
 allow autoplay_app ashmem_device:chr_file execute;
 
-# Define and allow access to our own type for ashmem regions.
-# Label ashmem objects with our own unique type.
-tmpfs_domain(autoplay_app)
 # Map with PROT_EXEC.
 allow autoplay_app autoplay_app_tmpfs:file execute;
 
diff --git a/binderservicedomain.te b/public/binderservicedomain.te
similarity index 100%
rename from binderservicedomain.te
rename to public/binderservicedomain.te
diff --git a/blkid.te b/public/blkid.te
similarity index 100%
rename from blkid.te
rename to public/blkid.te
diff --git a/blkid_untrusted.te b/public/blkid_untrusted.te
similarity index 100%
rename from blkid_untrusted.te
rename to public/blkid_untrusted.te
diff --git a/bluetooth.te b/public/bluetooth.te
similarity index 97%
rename from bluetooth.te
rename to public/bluetooth.te
index d8448a6d9ffa5915cd170d8d06327d2e950f1a3d..332d2ab3c0db2949add245d0e55c94ff265a3da4 100644
--- a/bluetooth.te
+++ b/public/bluetooth.te
@@ -14,7 +14,6 @@ allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
 allow bluetooth bluetooth_logs_data_file:file create_file_perms;
 
 # Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
 allow bluetooth bluetooth_socket:sock_file create_file_perms;
 
 # bluetooth factory file accesses.
diff --git a/bluetoothdomain.te b/public/bluetoothdomain.te
similarity index 100%
rename from bluetoothdomain.te
rename to public/bluetoothdomain.te
diff --git a/boot_control_hal.te b/public/boot_control_hal.te
similarity index 100%
rename from boot_control_hal.te
rename to public/boot_control_hal.te
diff --git a/bootanim.te b/public/bootanim.te
similarity index 96%
rename from bootanim.te
rename to public/bootanim.te
index e18654c2c93b6b217b45b7b482f3801f5b6a7d7c..abbcacac7694c7f3c83eeaf3cf7f83b900b6d5f1 100644
--- a/bootanim.te
+++ b/public/bootanim.te
@@ -2,8 +2,6 @@
 type bootanim, domain;
 type bootanim_exec, exec_type, file_type;
 
-init_daemon_domain(bootanim)
-
 binder_use(bootanim)
 binder_call(bootanim, surfaceflinger)
 binder_call(bootanim, audioserver)
diff --git a/bootstat.te b/public/bootstat.te
similarity index 91%
rename from bootstat.te
rename to public/bootstat.te
index 44a8c91b87d56184975ce914249b017d81f5bb40..82d730ccb2a82304d9815ffdaa753ae5659b78ad 100644
--- a/bootstat.te
+++ b/public/bootstat.te
@@ -2,8 +2,6 @@
 type bootstat, domain;
 type bootstat_exec, exec_type, file_type;
 
-init_daemon_domain(bootstat)
-
 # Allow persistent storage in /data/misc/bootstat.
 allow bootstat bootstat_data_file:dir rw_dir_perms;
 allow bootstat bootstat_data_file:file create_file_perms;
diff --git a/cameraserver.te b/public/cameraserver.te
similarity index 97%
rename from cameraserver.te
rename to public/cameraserver.te
index c12b1a2f84eb61d89460ca6ea86ae1c668b5f91e..b12d17cc4ee017b3b60286ae33b9e762535fb13f 100644
--- a/cameraserver.te
+++ b/public/cameraserver.te
@@ -2,8 +2,6 @@
 type cameraserver, domain;
 type cameraserver_exec, exec_type, file_type;
 
-init_daemon_domain(cameraserver)
-
 binder_use(cameraserver)
 binder_call(cameraserver, binderservicedomain)
 binder_call(cameraserver, appdomain)
diff --git a/clatd.te b/public/clatd.te
similarity index 100%
rename from clatd.te
rename to public/clatd.te
diff --git a/cppreopts.te b/public/cppreopts.te
similarity index 80%
rename from cppreopts.te
rename to public/cppreopts.te
index 66df7eea4148c577faf580547d08f35f4eded281..8cbf8018728192c988294be60b22632ec9da157d 100644
--- a/cppreopts.te
+++ b/public/cppreopts.te
@@ -7,12 +7,6 @@
 type cppreopts, domain, mlstrustedsubject;
 type cppreopts_exec, exec_type, file_type;
 
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
-
 # Allow cppreopts copy files into the dalvik-cache
 allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
 allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
diff --git a/debuggerd.te b/public/debuggerd.te
similarity index 98%
rename from debuggerd.te
rename to public/debuggerd.te
index 80d3f5c6c85cb276d8463bdde95d7a418e4cffdf..da1314a04e56b415deb7f6453e0a41531300013a 100644
--- a/debuggerd.te
+++ b/public/debuggerd.te
@@ -2,7 +2,6 @@
 type debuggerd, domain, domain_deprecated;
 type debuggerd_exec, exec_type, file_type;
 
-init_daemon_domain(debuggerd)
 typeattribute debuggerd mlstrustedsubject;
 allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
 allow debuggerd self:capability2 { syslog };
diff --git a/device.te b/public/device.te
similarity index 100%
rename from device.te
rename to public/device.te
diff --git a/dex2oat.te b/public/dex2oat.te
similarity index 100%
rename from dex2oat.te
rename to public/dex2oat.te
diff --git a/dhcp.te b/public/dhcp.te
similarity index 92%
rename from dhcp.te
rename to public/dhcp.te
index a051b192d11d4a21157558957f2c9959d2b46068..6b9fb4ad11fd47d19b304d4c85613e9609bba558 100644
--- a/dhcp.te
+++ b/public/dhcp.te
@@ -2,7 +2,6 @@ type dhcp, domain, domain_deprecated;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 
-init_daemon_domain(dhcp)
 net_domain(dhcp)
 
 allow dhcp cgroup:dir { create write add_name };
@@ -21,7 +20,6 @@ allow dhcp proc_net:file write;
 set_prop(dhcp, dhcp_prop)
 set_prop(dhcp, pan_result_prop)
 
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;
 allow dhcp dhcp_data_file:file create_file_perms;
 
diff --git a/dnsmasq.te b/public/dnsmasq.te
similarity index 100%
rename from dnsmasq.te
rename to public/dnsmasq.te
diff --git a/domain.te b/public/domain.te
similarity index 100%
rename from domain.te
rename to public/domain.te
diff --git a/domain_deprecated.te b/public/domain_deprecated.te
similarity index 100%
rename from domain_deprecated.te
rename to public/domain_deprecated.te
diff --git a/drmserver.te b/public/drmserver.te
similarity index 98%
rename from drmserver.te
rename to public/drmserver.te
index d0adf46153d42c2ca276cfa20cedc4b42a4d0064..66cc432bdc2c00d8c2de630cc05df6154338f034 100644
--- a/drmserver.te
+++ b/public/drmserver.te
@@ -2,7 +2,6 @@
 type drmserver, domain;
 type drmserver_exec, exec_type, file_type;
 
-init_daemon_domain(drmserver)
 typeattribute drmserver mlstrustedsubject;
 
 net_domain(drmserver)
diff --git a/dumpstate.te b/public/dumpstate.te
similarity index 98%
rename from dumpstate.te
rename to public/dumpstate.te
index 9f3370e396350be658e189becdcfa553715dc09b..17764c30e0bd9313b0f65eb23c6a14ba54a1ba74 100644
--- a/dumpstate.te
+++ b/public/dumpstate.te
@@ -2,7 +2,6 @@
 type dumpstate, domain, domain_deprecated, mlstrustedsubject;
 type dumpstate_exec, exec_type, file_type;
 
-init_daemon_domain(dumpstate)
 net_domain(dumpstate)
 binder_use(dumpstate)
 wakelock_use(dumpstate)
@@ -80,9 +79,6 @@ allow dumpstate {
   surfaceflinger
 }:debuggerd dump_backtrace;
 
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
 # Vibrate the device after we're done collecting the bugreport
 # /sys/class/timed_output/vibrator/enable
 # TODO: create a new file class, instead of allowing write access to all of /sys
diff --git a/file.te b/public/file.te
similarity index 100%
rename from file.te
rename to public/file.te
diff --git a/fingerprintd.te b/public/fingerprintd.te
similarity index 94%
rename from fingerprintd.te
rename to public/fingerprintd.te
index 09d39b187d179d04620420b6bbc98e3a20f02032..b541e34ef49da73ad05802c2589ab22377be58f4 100644
--- a/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,8 +1,6 @@
 type fingerprintd, domain, domain_deprecated;
 type fingerprintd_exec, exec_type, file_type;
 
-# fingerprintd
-init_daemon_domain(fingerprintd)
 binder_use(fingerprintd)
 
 # need to find KeyStore and add self
diff --git a/fsck.te b/public/fsck.te
similarity index 98%
rename from fsck.te
rename to public/fsck.te
index 9f372ce257170b0828498bf75be1ae1c0b9340e8..bdbbd33354d36d0f5e446b4364ea4d202598916a 100644
--- a/fsck.te
+++ b/public/fsck.te
@@ -2,8 +2,6 @@
 type fsck, domain, domain_deprecated;
 type fsck_exec, exec_type, file_type;
 
-init_daemon_domain(fsck)
-
 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by fsck.
 allow fsck tmpfs:chr_file { read write ioctl };
diff --git a/fsck_untrusted.te b/public/fsck_untrusted.te
similarity index 100%
rename from fsck_untrusted.te
rename to public/fsck_untrusted.te
diff --git a/gatekeeperd.te b/public/gatekeeperd.te
similarity index 97%
rename from gatekeeperd.te
rename to public/gatekeeperd.te
index bc4fe81b447d3853b601a468ffe768d436670d34..13d2db729312d85b29c5a2763b99f945245caaaa 100644
--- a/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -2,7 +2,6 @@ type gatekeeperd, domain;
 type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
-init_daemon_domain(gatekeeperd)
 binder_service(gatekeeperd)
 binder_use(gatekeeperd)
 allow gatekeeperd tee_device:chr_file rw_file_perms;
diff --git a/global_macros b/public/global_macros
similarity index 100%
rename from global_macros
rename to public/global_macros
diff --git a/hci_attach.te b/public/hci_attach.te
similarity index 90%
rename from hci_attach.te
rename to public/hci_attach.te
index 543cae1a0096846f3a6f37312ade7d8b4bc3b98a..04b6113e13ffd13d413b887c6d0c5c601fa3820e 100644
--- a/hci_attach.te
+++ b/public/hci_attach.te
@@ -1,8 +1,6 @@
 type hci_attach, domain, domain_deprecated;
 type hci_attach_exec, exec_type, file_type;
 
-init_daemon_domain(hci_attach)
-
 allow hci_attach kernel:system module_request;
 allow hci_attach hci_attach_dev:chr_file rw_file_perms;
 allow hci_attach bluetooth_efs_file:dir r_dir_perms;
diff --git a/healthd.te b/public/healthd.te
similarity index 100%
rename from healthd.te
rename to public/healthd.te
diff --git a/hostapd.te b/public/hostapd.te
similarity index 97%
rename from hostapd.te
rename to public/hostapd.te
index 62f9cc72687567dba9221a9701c6243b47bf9f16..b40bdc84a50d9dd39c527c33430183e6be4df904 100644
--- a/hostapd.te
+++ b/public/hostapd.te
@@ -2,7 +2,7 @@
 type hostapd, domain;
 type hostapd_exec, exec_type, file_type;
 
-init_daemon_domain(hostapd)
+
 net_domain(hostapd)
 allow hostapd self:capability { net_admin net_raw };
 
diff --git a/hwservicemanager.te b/public/hwservicemanager.te
similarity index 95%
rename from hwservicemanager.te
rename to public/hwservicemanager.te
index 649e2b8f6f6666c4af64e047618f5e34ee2cdd92..cbb47e525c8392366c687a24925688a8dc6a6d11 100644
--- a/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,8 +2,6 @@
 type hwservicemanager, domain, mlstrustedsubject;
 type hwservicemanager_exec, exec_type, file_type;
 
-init_daemon_domain(hwservicemanager)
-
 # Note that we do not use the binder_* macros here.
 # hwservicemanager only provides name service (aka context manager)
 # for Binder.
diff --git a/idmap.te b/public/idmap.te
similarity index 100%
rename from idmap.te
rename to public/idmap.te
diff --git a/init.te b/public/init.te
similarity index 96%
rename from init.te
rename to public/init.te
index 1512d0b4c52e3ffe5e4bf3d980b086528e455011..16bafc31df4e94b5420e15ec68e079ac2bcdf4e5 100644
--- a/init.te
+++ b/public/init.te
@@ -1,6 +1,5 @@
 # init is its own domain.
 type init, domain, domain_deprecated, mlstrustedsubject;
-tmpfs_domain(init)
 
 # The init domain is entered by execing init.
 type init_exec, exec_type, file_type;
@@ -224,21 +223,6 @@ allow init sysfs_type:dir r_dir_perms;
 allow init sysfs_type:lnk_file read;
 allow init sysfs_type:file rw_file_perms;
 
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, adbd)
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-recovery_only(`
-  domain_trans(init, rootfs, recovery)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, watchdogd)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
-userdebug_or_eng(`
-  domain_auto_trans(init, logcat_exec, logd)
-')
-
 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
 # Init will also walk through the directory as part of a recursive restorecon.
 allow init misc_logd_file:dir { open create read getattr setattr search };
diff --git a/inputflinger.te b/public/inputflinger.te
similarity index 93%
rename from inputflinger.te
rename to public/inputflinger.te
index b6a5f0b2173560e8684c734731be36f016ac45fc..bee392facdf97b324db1cd5692291088481ba054 100644
--- a/inputflinger.te
+++ b/public/inputflinger.te
@@ -2,7 +2,6 @@
 type inputflinger, domain, domain_deprecated;
 type inputflinger_exec, exec_type, file_type;
 
-init_daemon_domain(inputflinger)
 binder_use(inputflinger)
 binder_service(inputflinger)
 
diff --git a/install_recovery.te b/public/install_recovery.te
similarity index 96%
rename from install_recovery.te
rename to public/install_recovery.te
index b11ff7497a4c7362522212aa2c4f1925aa10e502..132b03da85b9989767fedf9fb795ce2d0325a3f8 100644
--- a/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,8 +2,6 @@
 type install_recovery, domain, domain_deprecated;
 type install_recovery_exec, exec_type, file_type;
 
-init_daemon_domain(install_recovery)
-
 allow install_recovery self:capability dac_override;
 
 # /system/bin/install-recovery.sh is a shell script.
diff --git a/installd.te b/public/installd.te
similarity index 94%
rename from installd.te
rename to public/installd.te
index 317ae7cea99f4ca424bedd5d6fb2a6930e8a71f6..ead36c17e7392f4031c6ba1952e85dd862d131f5 100644
--- a/installd.te
+++ b/public/installd.te
@@ -1,8 +1,6 @@
 # installer daemon
 type installd, domain, domain_deprecated;
 type installd_exec, exec_type, file_type;
-
-init_daemon_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
 
@@ -64,15 +62,6 @@ allow installd dalvikcache_data_file:file create_file_perms;
 allow installd resourcecache_data_file:dir rw_dir_perms;
 allow installd resourcecache_data_file:file create_file_perms;
 
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/ioctl_defines b/public/ioctl_defines
similarity index 100%
rename from ioctl_defines
rename to public/ioctl_defines
diff --git a/ioctl_macros b/public/ioctl_macros
similarity index 100%
rename from ioctl_macros
rename to public/ioctl_macros
diff --git a/isolated_app.te b/public/isolated_app.te
similarity index 100%
rename from isolated_app.te
rename to public/isolated_app.te
diff --git a/kernel.te b/public/kernel.te
similarity index 98%
rename from kernel.te
rename to public/kernel.te
index 3608a10200a4c4f279f9d149e1ff98b05965ba3e..556904c1f707003d8d1a2b6a319dc95d3ca65ceb 100644
--- a/kernel.te
+++ b/public/kernel.te
@@ -67,8 +67,6 @@ userdebug_or_eng(`
   allow kernel nativetest_data_file:file read;
 ')
 
-domain_auto_trans(kernel, init_exec, init)
-
 # Access to /data/media.
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
diff --git a/keystore.te b/public/keystore.te
similarity index 97%
rename from keystore.te
rename to public/keystore.te
index 3d7bd9210b975075af517797d6a9b78c5b8d0ae6..42150176ae459d93aa961909639fee95ffbc7228 100644
--- a/keystore.te
+++ b/public/keystore.te
@@ -2,7 +2,6 @@ type keystore, domain, domain_deprecated;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
-init_daemon_domain(keystore)
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
diff --git a/lmkd.te b/public/lmkd.te
similarity index 97%
rename from lmkd.te
rename to public/lmkd.te
index 5302bcd56d04bed26bbc5d33ef97d2b584c513f6..316036f030bacab60093a1388b50f4c350fb2432 100644
--- a/lmkd.te
+++ b/public/lmkd.te
@@ -2,8 +2,6 @@
 type lmkd, domain, domain_deprecated, mlstrustedsubject;
 type lmkd_exec, exec_type, file_type;
 
-init_daemon_domain(lmkd)
-
 allow lmkd self:capability { dac_override sys_resource kill };
 
 # lmkd locks itself in memory, to prevent it from being
diff --git a/logd.te b/public/logd.te
similarity index 98%
rename from logd.te
rename to public/logd.te
index c9072f381ed2db92cac745d8cf87550450ca8f5e..1171ebf26ced44b04ba04f4c343f8c02c9eca287 100644
--- a/logd.te
+++ b/public/logd.te
@@ -2,8 +2,6 @@
 type logd, domain, mlstrustedsubject;
 type logd_exec, exec_type, file_type;
 
-init_daemon_domain(logd)
-
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)
 r_dir_file(logd, proc)
diff --git a/mdnsd.te b/public/mdnsd.te
similarity index 86%
rename from mdnsd.te
rename to public/mdnsd.te
index a9dc7c56578916b182ee0ee3c25e5e3943143b7f..c32b433c9664f1cc10aa0f1aadd3e5af028e0f29 100644
--- a/mdnsd.te
+++ b/public/mdnsd.te
@@ -2,7 +2,6 @@
 type mdnsd, domain, mlstrustedsubject;
 type mdnsd_exec, exec_type, file_type;
 
-init_daemon_domain(mdnsd)
 net_domain(mdnsd)
 
 # Read from /proc/net
diff --git a/mediacodec.te b/public/mediacodec.te
similarity index 96%
rename from mediacodec.te
rename to public/mediacodec.te
index 3d3625ab73b1077a839d5fc6edfc847fb56d2a59..0b562c12e3e6fbc88bde79a6078ca6268ca57ed7 100644
--- a/mediacodec.te
+++ b/public/mediacodec.te
@@ -4,8 +4,6 @@ type mediacodec_exec, exec_type, file_type;
 
 typeattribute mediacodec mlstrustedsubject;
 
-init_daemon_domain(mediacodec)
-
 binder_use(mediacodec)
 binder_call(mediacodec, binderservicedomain)
 binder_call(mediacodec, appdomain)
diff --git a/mediadrmserver.te b/public/mediadrmserver.te
similarity index 98%
rename from mediadrmserver.te
rename to public/mediadrmserver.te
index d9368ad3735203fd6a0b078533c34e6e202d87f6..db8e082f35b39db6c2d6fa5b0fd89c3a0e6ae672 100644
--- a/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -5,8 +5,6 @@ type mediadrmserver_exec, exec_type, file_type;
 typeattribute mediadrmserver mlstrustedsubject;
 
 net_domain(mediadrmserver)
-init_daemon_domain(mediadrmserver)
-
 binder_use(mediadrmserver)
 binder_call(mediadrmserver, binderservicedomain)
 binder_call(mediadrmserver, appdomain)
diff --git a/mediaextractor.te b/public/mediaextractor.te
similarity index 95%
rename from mediaextractor.te
rename to public/mediaextractor.te
index fe874479d577f651c9c7cca90c1a76bee2f3754a..ec0ce31a7978d690f9f90f24cd007c53c52e832c 100644
--- a/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -4,8 +4,6 @@ type mediaextractor_exec, exec_type, file_type;
 
 typeattribute mediaextractor mlstrustedsubject;
 
-init_daemon_domain(mediaextractor)
-
 binder_use(mediaextractor)
 binder_call(mediaextractor, binderservicedomain)
 binder_call(mediaextractor, appdomain)
diff --git a/mediaserver.te b/public/mediaserver.te
similarity index 99%
rename from mediaserver.te
rename to public/mediaserver.te
index e55c778e90ef08e43fc489afaf953d6a95dc8bcc..9e062b809943fb193e5a0e34f1b1745a12b81e3d 100644
--- a/mediaserver.te
+++ b/public/mediaserver.te
@@ -5,7 +5,6 @@ type mediaserver_exec, exec_type, file_type;
 typeattribute mediaserver mlstrustedsubject;
 
 net_domain(mediaserver)
-init_daemon_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)
 r_dir_file(mediaserver, cgroup)
diff --git a/mtp.te b/public/mtp.te
similarity index 92%
rename from mtp.te
rename to public/mtp.te
index 02d4b56335fe17ad35eaea9980f935fd4cec61fe..0ca7cea357b0fb7f247d60c2d186af97e7bf1c72 100644
--- a/mtp.te
+++ b/public/mtp.te
@@ -2,7 +2,6 @@
 type mtp, domain, domain_deprecated;
 type mtp_exec, exec_type, file_type;
 
-init_daemon_domain(mtp)
 net_domain(mtp)
 
 # pptp policy
diff --git a/net.te b/public/net.te
similarity index 100%
rename from net.te
rename to public/net.te
diff --git a/netd.te b/public/netd.te
similarity index 97%
rename from netd.te
rename to public/netd.te
index f01022aab560739188c4054d489b94b6a0f61a43..dc4a1b3ee77faa1629843ad4b4278955b1f255ba 100644
--- a/netd.te
+++ b/public/netd.te
@@ -2,7 +2,6 @@
 type netd, domain, domain_deprecated, mlstrustedsubject;
 type netd_exec, exec_type, file_type;
 
-init_daemon_domain(netd)
 net_domain(netd)
 # in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
@@ -52,11 +51,9 @@ allow netd net_data_file:dir rw_dir_perms;
 allow netd self:capability fowner;
 
 # Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 allow netd dnsmasq:process signal;
 
 # Allow netd to start clatd in its own domain
-domain_auto_trans(netd, clatd_exec, clatd)
 allow netd clatd:process signal;
 
 set_prop(netd, ctl_mdnsd_prop)
diff --git a/neverallow_macros b/public/neverallow_macros
similarity index 100%
rename from neverallow_macros
rename to public/neverallow_macros
diff --git a/nfc.te b/public/nfc.te
similarity index 100%
rename from nfc.te
rename to public/nfc.te
diff --git a/otapreopt_chroot.te b/public/otapreopt_chroot.te
similarity index 84%
rename from otapreopt_chroot.te
rename to public/otapreopt_chroot.te
index 1c5f2eed0f4f16194b1cd18b88e1a6892c9178d9..c071f447f15e529a6505d74e766fdbea336a9b20 100644
--- a/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -13,9 +13,6 @@ allow otapreopt_chroot labeledfs:filesystem mount;
 # Mounting /vendor can have this side-effect. Ignore denial.
 dontaudit otapreopt_chroot kernel:process setsched;
 
-# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
-
 # Allow otapreopt to use file descriptors from update-engine. It will
 # close them immediately.
 allow otapreopt_chroot postinstall:fd use;
diff --git a/otapreopt_slot.te b/public/otapreopt_slot.te
similarity index 89%
rename from otapreopt_slot.te
rename to public/otapreopt_slot.te
index 2f4da0a121e94f7f5e2b82dafa1b8503b8b07792..5745ba7860a220600ae35b566317c207a9ef2480 100644
--- a/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -6,9 +6,6 @@
 type otapreopt_slot, domain, mlstrustedsubject;
 type otapreopt_slot_exec, exec_type, file_type;
 
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
 
 # The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
 # the directory afterwards. For logging of aggregate size, we need getattr.
diff --git a/platform_app.te b/public/platform_app.te
similarity index 100%
rename from platform_app.te
rename to public/platform_app.te
diff --git a/postinstall.te b/public/postinstall.te
similarity index 95%
rename from postinstall.te
rename to public/postinstall.te
index 0f6bb749b4aa7072143a0907c5f83cbf25c00f2a..7fd4dc61183db9d44b5968b631ebe62bead6c271 100644
--- a/postinstall.te
+++ b/public/postinstall.te
@@ -30,8 +30,6 @@ binder_call(postinstall, system_server)
 # Need to talk to the otadexopt service.
 allow postinstall otadexopt_service:service_manager find;
 
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-
 # No domain other than update_engine and recovery (via update_engine_sideload)
 # should transition to postinstall, as it is only meant to run during the
 # update.
diff --git a/postinstall_dexopt.te b/public/postinstall_dexopt.te
similarity index 91%
rename from postinstall_dexopt.te
rename to public/postinstall_dexopt.te
index e0cc25720161b9686e14b825f6ab29ef5c37707c..5fdc51031edc8cb5e20bd3afa984517d2077b626 100644
--- a/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,6 @@
 
 type postinstall_dexopt, domain;
 
-# init_daemon_domain(otapreopt)
 allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
 
 allow postinstall_dexopt postinstall_file:dir { getattr search };
@@ -43,9 +42,6 @@ allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
 selinux_check_context(postinstall_dexopt)
 selinux_check_access(postinstall_dexopt)
 
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
 
 # Postinstall wants to know about our child.
 allow postinstall_dexopt postinstall:process sigchld;
diff --git a/ppp.te b/public/ppp.te
similarity index 92%
rename from ppp.te
rename to public/ppp.te
index 3fb6f2b06552f58b66bef30f38540b3d02ea4bf1..5708822ee3cca1c7394948be21fbd0036ea0fa8b 100644
--- a/ppp.te
+++ b/public/ppp.te
@@ -2,7 +2,6 @@
 type ppp, domain, domain_deprecated;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
-domain_auto_trans(mtp, ppp_exec, ppp)
 
 net_domain(ppp)
 
diff --git a/preopt2cachename.te b/public/preopt2cachename.te
similarity index 100%
rename from preopt2cachename.te
rename to public/preopt2cachename.te
diff --git a/priv_app.te b/public/priv_app.te
similarity index 100%
rename from priv_app.te
rename to public/priv_app.te
diff --git a/profman.te b/public/profman.te
similarity index 100%
rename from profman.te
rename to public/profman.te
diff --git a/property.te b/public/property.te
similarity index 100%
rename from property.te
rename to public/property.te
diff --git a/racoon.te b/public/racoon.te
similarity index 97%
rename from racoon.te
rename to public/racoon.te
index c3666bd8541ba66d966a846fc2de955112e7f74c..c99740feeb2267a441be4ec5602f40d1c7b8fd66 100644
--- a/racoon.te
+++ b/public/racoon.te
@@ -2,7 +2,6 @@
 type racoon, domain, domain_deprecated;
 type racoon_exec, exec_type, file_type;
 
-init_daemon_domain(racoon)
 typeattribute racoon mlstrustedsubject;
 
 net_domain(racoon)
diff --git a/radio.te b/public/radio.te
similarity index 100%
rename from radio.te
rename to public/radio.te
diff --git a/recovery.te b/public/recovery.te
similarity index 100%
rename from recovery.te
rename to public/recovery.te
diff --git a/recovery_persist.te b/public/recovery_persist.te
similarity index 96%
rename from recovery_persist.te
rename to public/recovery_persist.te
index 19a240f89b778f259f410d8d39f134eadbdc2a55..1abcc7c6528ce1dcab792d4f61fb8a4d138e1ae7 100644
--- a/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -2,8 +2,6 @@
 type recovery_persist, domain;
 type recovery_persist_exec, exec_type, file_type;
 
-init_daemon_domain(recovery_persist)
-
 allow recovery_persist pstorefs:dir search;
 allow recovery_persist pstorefs:file r_file_perms;
 
diff --git a/recovery_refresh.te b/public/recovery_refresh.te
similarity index 96%
rename from recovery_refresh.te
rename to public/recovery_refresh.te
index 9fae1104c9f6c81be7d1dd609b04d7e0a8afbea8..5707e7b2840b1524b5c6b2099d17555d437415d4 100644
--- a/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -2,8 +2,6 @@
 type recovery_refresh, domain;
 type recovery_refresh_exec, exec_type, file_type;
 
-init_daemon_domain(recovery_refresh)
-
 allow recovery_refresh pstorefs:dir search;
 allow recovery_refresh pstorefs:file r_file_perms;
 # NB: domain inherits write_logd which hands us write to pmsg_device
diff --git a/rild.te b/public/rild.te
similarity index 98%
rename from rild.te
rename to public/rild.te
index 0d834e19b7045cc651e2f923c119fbb20550dffc..85aa04415e4ca8ad23300fa42ea371d52592cdf9 100644
--- a/rild.te
+++ b/public/rild.te
@@ -2,7 +2,6 @@
 type rild, domain, domain_deprecated;
 type rild_exec, exec_type, file_type;
 
-init_daemon_domain(rild)
 net_domain(rild)
 allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
 
diff --git a/runas.te b/public/runas.te
similarity index 92%
rename from runas.te
rename to public/runas.te
index 58a1bdc1b3a00c0df6e00736a81a500924bf87e9..21bd8805fda1e112a8aadf1967cdfe915be5aea5 100644
--- a/runas.te
+++ b/public/runas.te
@@ -1,8 +1,6 @@
 type runas, domain, domain_deprecated, mlstrustedsubject;
 type runas_exec, exec_type, file_type;
 
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
 allow runas adbd:process sigchld;
 allow runas shell:fd use;
 allow runas shell:fifo_file { read write };
diff --git a/sdcardd.te b/public/sdcardd.te
similarity index 94%
rename from sdcardd.te
rename to public/sdcardd.te
index 846c59b58a7defd08ea2f0f246ea6801adaff365..52037e6a650d3cc7a43448559c9c5cb2ed859f66 100644
--- a/sdcardd.te
+++ b/public/sdcardd.te
@@ -14,7 +14,6 @@ allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resourc
 allow sdcardd sdcard_type:dir create_dir_perms;
 allow sdcardd sdcard_type:file create_file_perms;
 
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
 allow sdcardd media_rw_data_file:dir create_dir_perms;
 allow sdcardd media_rw_data_file:file create_file_perms;
 
diff --git a/service.te b/public/service.te
similarity index 100%
rename from service.te
rename to public/service.te
diff --git a/servicemanager.te b/public/servicemanager.te
similarity index 94%
rename from servicemanager.te
rename to public/servicemanager.te
index 4f07a559492d4958284c708596636085f87894f7..469c6375ca07251cdacca1c8e3143de67712d40f 100644
--- a/servicemanager.te
+++ b/public/servicemanager.te
@@ -2,8 +2,6 @@
 type servicemanager, domain, domain_deprecated, mlstrustedsubject;
 type servicemanager_exec, exec_type, file_type;
 
-init_daemon_domain(servicemanager)
-
 # Note that we do not use the binder_* macros here.
 # servicemanager is unique in that it only provides
 # name service (aka context manager) for Binder.
diff --git a/sgdisk.te b/public/sgdisk.te
similarity index 100%
rename from sgdisk.te
rename to public/sgdisk.te
diff --git a/shared_relro.te b/public/shared_relro.te
similarity index 100%
rename from shared_relro.te
rename to public/shared_relro.te
diff --git a/shell.te b/public/shell.te
similarity index 100%
rename from shell.te
rename to public/shell.te
diff --git a/slideshow.te b/public/slideshow.te
similarity index 100%
rename from slideshow.te
rename to public/slideshow.te
diff --git a/surfaceflinger.te b/public/surfaceflinger.te
similarity index 98%
rename from surfaceflinger.te
rename to public/surfaceflinger.te
index d02fc93490404fa4a245523870f6aae1b3a8ef0b..5175f83f8eca8f37a7bfa62d686f867681b95e45 100644
--- a/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -2,7 +2,6 @@
 type surfaceflinger, domain, domain_deprecated;
 type surfaceflinger_exec, exec_type, file_type;
 
-init_daemon_domain(surfaceflinger)
 typeattribute surfaceflinger mlstrustedsubject;
 
 # Perform Binder IPC.
diff --git a/system_app.te b/public/system_app.te
similarity index 100%
rename from system_app.te
rename to public/system_app.te
diff --git a/system_server.te b/public/system_server.te
similarity index 99%
rename from system_server.te
rename to public/system_server.te
index b9fe97b71311e4c61b1cd2743761c046fa84f38a..c243bc64c83612cd2ba52aa92ff2f0eda171fb3b 100644
--- a/system_server.te
+++ b/public/system_server.te
@@ -4,9 +4,6 @@
 #
 type system_server, domain, domain_deprecated, mlstrustedsubject;
 
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -369,7 +366,6 @@ allow system_server system_wpa_socket:sock_file create_file_perms;
 allow system_server wpa_socket:sock_file unlink;
 
 # Create a socket for connections from debuggerd.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 # Manage cache files.
diff --git a/te_macros b/public/te_macros
similarity index 100%
rename from te_macros
rename to public/te_macros
diff --git a/tee.te b/public/tee.te
similarity index 96%
rename from tee.te
rename to public/tee.te
index 3d4cc2fba744a18f1b0283ba668283ccd3cc78a6..a95be88349bf036c840e0aa73035feb898a228ed 100644
--- a/tee.te
+++ b/public/tee.te
@@ -6,7 +6,6 @@ type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
 
-init_daemon_domain(tee)
 allow tee self:capability { dac_override };
 allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
diff --git a/toolbox.te b/public/toolbox.te
similarity index 97%
rename from toolbox.te
rename to public/toolbox.te
index 7767079dcede330fcd4a04a7880b662cb6e3a14b..59c3a9c73cfe2686245515d7baa91576fe9a3c54 100644
--- a/toolbox.te
+++ b/public/toolbox.te
@@ -4,8 +4,6 @@
 type toolbox, domain;
 type toolbox_exec, exec_type, file_type;
 
-init_daemon_domain(toolbox)
-
 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by fsck.
 allow toolbox tmpfs:chr_file { read write ioctl };
diff --git a/tzdatacheck.te b/public/tzdatacheck.te
similarity index 87%
rename from tzdatacheck.te
rename to public/tzdatacheck.te
index f61cb471632586ce4fbbd3cf672747525ed977be..37daa7516b1fedfd2d1737bea3539497c37cf15c 100644
--- a/tzdatacheck.te
+++ b/public/tzdatacheck.te
@@ -2,7 +2,5 @@
 type tzdatacheck, domain, domain_deprecated;
 type tzdatacheck_exec, exec_type, file_type;
 
-init_daemon_domain(tzdatacheck)
-
 allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
 allow tzdatacheck zoneinfo_data_file:file unlink;
diff --git a/ueventd.te b/public/ueventd.te
similarity index 99%
rename from ueventd.te
rename to public/ueventd.te
index d4880fad140caaba4d85277171870bd82d6cc8b3..46787c4de5546eea04c30c0eb057e2591657f42f 100644
--- a/ueventd.te
+++ b/public/ueventd.te
@@ -1,7 +1,6 @@
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain, domain_deprecated;
-tmpfs_domain(ueventd)
 
 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/uncrypt.te b/public/uncrypt.te
similarity index 97%
rename from uncrypt.te
rename to public/uncrypt.te
index 308e0f6294eb27cde62bb926e319772723e4aa5d..ef1289c325c91e64adb3bac1a391a56a76ab5376 100644
--- a/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,8 +2,6 @@
 type uncrypt, domain, domain_deprecated, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;
 
-init_daemon_domain(uncrypt)
-
 allow uncrypt self:capability dac_override;
 
 # Read OTA zip file from /data/data/com.google.android.gsf/app_download
diff --git a/untrusted_app.te b/public/untrusted_app.te
similarity index 100%
rename from untrusted_app.te
rename to public/untrusted_app.te
diff --git a/update_engine.te b/public/update_engine.te
similarity index 97%
rename from update_engine.te
rename to public/update_engine.te
index fa3f05ccbba408a12b299283e9f43cd20994e200..a3dee0db74c9e6adf65831769f2c88388adff2b9 100644
--- a/update_engine.te
+++ b/public/update_engine.te
@@ -4,7 +4,6 @@ type update_engine, domain, domain_deprecated, update_engine_common, boot_contro
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
-init_daemon_domain(update_engine);
 net_domain(update_engine);
 
 # Following permissions are needed for update_engine.
diff --git a/update_engine_common.te b/public/update_engine_common.te
similarity index 87%
rename from update_engine_common.te
rename to public/update_engine_common.te
index e70e44db155f0aeb8ec0cfcfe38dbf09fca86e45..29581dde41c459308084ce36386de454839c0385 100644
--- a/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,9 +24,6 @@ allow update_engine_common postinstall_file:file rx_file_perms;
 allow update_engine_common postinstall_file:lnk_file r_file_perms;
 allow update_engine_common postinstall_file:dir r_dir_perms;
 
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
 
 # A postinstall program is typically a shell script (with a #!), so we allow
 # to execute those.
diff --git a/update_verifier.te b/public/update_verifier.te
similarity index 93%
rename from update_verifier.te
rename to public/update_verifier.te
index 09d5fc4bc0ec8d29422ea835f48df38731101754..731b6230ab64d4ada2a8301653b80a84117d2622 100644
--- a/update_verifier.te
+++ b/public/update_verifier.te
@@ -3,8 +3,6 @@
 type update_verifier, domain, boot_control_hal;
 type update_verifier_exec, exec_type, file_type;
 
-init_daemon_domain(update_verifier)
-
 # Allow update_verifier to reach block devices in /dev/block.
 allow update_verifier block_device:dir search;
 
diff --git a/vdc.te b/public/vdc.te
similarity index 96%
rename from vdc.te
rename to public/vdc.te
index d31be658ea9effb6c9358847eef8db64e1582504..394ac96aa65ec44c661f4038e2030fe95826cd36 100644
--- a/vdc.te
+++ b/public/vdc.te
@@ -8,8 +8,6 @@
 type vdc, domain, domain_deprecated;
 type vdc_exec, exec_type, file_type;
 
-init_daemon_domain(vdc)
-
 unix_socket_connect(vdc, vold, vold)
 
 # vdc sends information back to dumpstate when "adb bugreport" is used
diff --git a/vold.te b/public/vold.te
similarity index 90%
rename from vold.te
rename to public/vold.te
index 6e0fa164807c6e4ccbf9e42d6cdc0e33881071a1..afe55c071cba9c587fa728353458a6d23e8ba17e 100644
--- a/vold.te
+++ b/public/vold.te
@@ -2,12 +2,6 @@
 type vold, domain, domain_deprecated;
 type vold_exec, exec_type, file_type;
 
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
 # Read already opened /cache files.
 allow vold cache_file:dir r_dir_perms;
 allow vold cache_file:file { getattr read };
@@ -25,13 +19,6 @@ allow vold sysfs_zram_uevent:file w_file_perms;
 r_dir_file(vold, rootfs)
 allow vold proc_meminfo:file r_file_perms;
 
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, shell_exec, blkid);
-domain_trans(vold, shell_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
 # Allow us to jump into execution domains of above tools
 allow vold self:process setexec;
 
@@ -58,11 +45,6 @@ allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms
 allow vold media_rw_data_file:dir create_dir_perms;
 allow vold media_rw_data_file:file create_file_perms;
 
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
 # Allow mounting of storage devices
 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
 allow vold sdcard_type:filesystem { mount unmount remount };
diff --git a/watchdogd.te b/public/watchdogd.te
similarity index 100%
rename from watchdogd.te
rename to public/watchdogd.te
diff --git a/wifi_hal_legacy.te b/public/wifi_hal_legacy.te
similarity index 91%
rename from wifi_hal_legacy.te
rename to public/wifi_hal_legacy.te
index a7fce572955646d3f5f0c65fef5a82a92c930a00..ccdd96ca2650af8315c6ba2b70bda795a95659eb 100644
--- a/wifi_hal_legacy.te
+++ b/public/wifi_hal_legacy.te
@@ -2,9 +2,6 @@
 type wifi_hal_legacy, domain;
 type wifi_hal_legacy_exec, exec_type, file_type;
 
-# may be started by init
-init_daemon_domain(wifi_hal_legacy)
-
 ## hwbinder access
 hwbinder_use(wifi_hal_legacy)
 
diff --git a/wificond.te b/public/wificond.te
similarity index 98%
rename from wificond.te
rename to public/wificond.te
index 673394a2c0c27c77930cf496d482423adaea8b8a..82c10c131684f105fb9a36f49845acac8eddadd1 100644
--- a/wificond.te
+++ b/public/wificond.te
@@ -2,8 +2,6 @@
 type wificond, domain;
 type wificond_exec, exec_type, file_type;
 
-init_daemon_domain(wificond)
-
 binder_use(wificond)
 binder_call(wificond, system_server)
 binder_call(wificond, wpa)
diff --git a/wpa.te b/public/wpa.te
similarity index 95%
rename from wpa.te
rename to public/wpa.te
index dfb73dc2efee6659c8feb2c05f83ab701c8d6622..3cb042bdac38b05b07cbcfec273ba1dc965c2323 100644
--- a/wpa.te
+++ b/public/wpa.te
@@ -2,8 +2,6 @@
 type wpa, domain, domain_deprecated;
 type wpa_exec, exec_type, file_type;
 
-init_daemon_domain(wpa)
-
 net_domain(wpa)
 # in addition to ioctls whitelisted for all domains, grant wpa priv_sock_ioctls.
 allowxperm wpa self:udp_socket ioctl priv_sock_ioctls;
@@ -29,7 +27,6 @@ binder_call(wpa, wificond)
 allow wpa wpa_supplicant_service:service_manager { add find };
 
 # Create a socket for receiving info from wpa
-type_transition wpa wifi_data_file:dir wpa_socket "sockets";
 allow wpa wpa_socket:dir create_dir_perms;
 allow wpa wpa_socket:sock_file create_file_perms;
 
diff --git a/zygote.te b/public/zygote.te
similarity index 99%
rename from zygote.te
rename to public/zygote.te
index 9f210ed3a347df0f1b307ac3afe1e1ed2d5abd54..94081ef56a0c15ff7fad7873d1d7f9fc365277e0 100644
--- a/zygote.te
+++ b/public/zygote.te
@@ -2,7 +2,6 @@
 type zygote, domain, domain_deprecated;
 type zygote_exec, exec_type, file_type;
 
-init_daemon_domain(zygote)
 typeattribute zygote mlstrustedsubject;
 # Override DAC on files and switch uid/gid.
 allow zygote self:capability { dac_override setgid setuid fowner chown };