diff --git a/adbd.te b/adbd.te
index a35d570b81df0b16110c97d47b24808126cee470..1344fdb81b4bd6ef3710f0229d7f47c95fc1a77b 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,6 +1,6 @@
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type adbd, domain, mlstrustedsubject;
+type adbd, domain, domain_deprecated, mlstrustedsubject;
 
 userdebug_or_eng(`
   allow adbd self:process setcurrent;
diff --git a/atrace.te b/atrace.te
index 61a5875e9fc067451db470f5e8dab6a9e250c52e..890a02641d75ae0710e928e07c2923774dc683f3 100644
--- a/atrace.te
+++ b/atrace.te
@@ -3,7 +3,7 @@ type atrace_exec, exec_type, file_type;
 
 userdebug_or_eng(`
 
-  type atrace, domain;
+  type atrace, domain, domain_deprecated;
   init_daemon_domain(atrace)
 
   # boottrace services uses /data/misc/boottrace/categories
diff --git a/attributes b/attributes
index e42edd615cc05049943b6d8cb99d68e9c85deaec..56655c11b19261f7f1cadf251b4345f838d865c0 100644
--- a/attributes
+++ b/attributes
@@ -8,6 +8,16 @@ attribute dev_type;
 # All types used for processes.
 attribute domain;
 
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
+
 # All types used for filesystems.
 attribute fs_type;
 
diff --git a/blkid.te b/blkid.te
index 15b6a85eb87c7849629cda2efa90744adcad75d6..23ce3a9da6cb0579acab728b103f351d29c6e590 100644
--- a/blkid.te
+++ b/blkid.te
@@ -1,5 +1,5 @@
 # blkid called from vold
-type blkid, domain;
+type blkid, domain, domain_deprecated;
 type blkid_exec, exec_type, file_type;
 
 # Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index df8e447f93708c4b1eff880e261574b6a58f9fc7..7e53de7ad8522cadcf2424322accc05f3b76fe57 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -1,5 +1,5 @@
 # blkid for untrusted block devices
-type blkid_untrusted, domain;
+type blkid_untrusted, domain, domain_deprecated;
 
 # Allowed read-only access to vold block devices to extract UUID/label
 allow blkid_untrusted block_device:dir search;
diff --git a/bluetooth.te b/bluetooth.te
index 5016bcfd531f3c65ee0a58cd2c508433aa07baf4..b1c7708a432b45cd189264b648395ad471a1e5b1 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,5 @@
 # bluetooth subsystem
-type bluetooth, domain;
+type bluetooth, domain, domain_deprecated;
 app_domain(bluetooth)
 net_domain(bluetooth)
 
diff --git a/bootanim.te b/bootanim.te
index dd1e57a4daf5043f79d60c39aaaed76a881c5aa1..9e04c04ca468714cc7675c1e8f81a9e04c45cd7a 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -1,5 +1,5 @@
 # bootanimation oneshot service
-type bootanim, domain;
+type bootanim, domain, domain_deprecated;
 type bootanim_exec, exec_type, file_type;
 
 init_daemon_domain(bootanim)
diff --git a/clatd.te b/clatd.te
index 21c9ca9ed2e93cd1f7576199077ad3f37a2c233c..3cda6a2a3be3b1452b9aca85fe30649ff766803b 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,5 +1,5 @@
 # 464xlat daemon
-type clatd, domain;
+type clatd, domain, domain_deprecated;
 type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)
diff --git a/debuggerd.te b/debuggerd.te
index 4f84813be0865774f55447533fd73e136ea52b87..0e3cf68055f8406ea53a72d66441f35a8ebe70ff 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,5 +1,5 @@
 # debugger interface
-type debuggerd, domain;
+type debuggerd, domain, domain_deprecated;
 type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
diff --git a/dex2oat.te b/dex2oat.te
index 0eb3881e98e34ef712ed6a05e20e402daf6a0c6e..83a7c8af54ee2401df4d5cc87b3c8c4d28a88858 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
 # dex2oat
-type dex2oat, domain;
+type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;
 
 allow dex2oat dalvikcache_data_file:file write;
diff --git a/dhcp.te b/dhcp.te
index 078e5125dce854503ba2d5046215b99ee0ba8819..548a37c2dadbb339a9737066b6373d38996d0d18 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,4 +1,4 @@
-type dhcp, domain;
+type dhcp, domain, domain_deprecated;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 
diff --git a/dnsmasq.te b/dnsmasq.te
index d802a35579f389970489fb457fd7dd9f0540f443..e5e4198c0e43cdb481c5a2c8e40b05abc9cb9bcd 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,5 +1,5 @@
 # DNS, DHCP services
-type dnsmasq, domain;
+type dnsmasq, domain, domain_deprecated;
 type dnsmasq_exec, exec_type, file_type;
 
 net_domain(dnsmasq)
diff --git a/domain_deprecated.te b/domain_deprecated.te
new file mode 100644
index 0000000000000000000000000000000000000000..1af20b847f538a4047cb646fecee164bc04d1eba
--- /dev/null
+++ b/domain_deprecated.te
@@ -0,0 +1 @@
+# rules removed from the domain attribute
diff --git a/drmserver.te b/drmserver.te
index d76d3bebbf53427ae77898f449035a45f2d616c4..3b654cc4f4f87fa76cff5b39d897b91564f92981 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,5 +1,5 @@
 # drmserver - DRM service
-type drmserver, domain;
+type drmserver, domain, domain_deprecated;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index 7fe78e32e4acc1e041537b8a21dbd687359bf1d0..036fdf77932b5b2745ffcb07465fd75520ac0ca6 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -1,5 +1,5 @@
 # dumpstate
-type dumpstate, domain, mlstrustedsubject;
+type dumpstate, domain, domain_deprecated, mlstrustedsubject;
 type dumpstate_exec, exec_type, file_type;
 
 init_daemon_domain(dumpstate)
diff --git a/fingerprintd.te b/fingerprintd.te
index 4ceb68dd352150fdf370b1fbc604c7f4f2c1d641..1c0ab1c9e8fd0fcdd6c6ce4bd19edb82df7d5d34 100644
--- a/fingerprintd.te
+++ b/fingerprintd.te
@@ -1,4 +1,4 @@
-type fingerprintd, domain;
+type fingerprintd, domain, domain_deprecated;
 type fingerprintd_exec, exec_type, file_type;
 
 # fingerprintd
diff --git a/fsck.te b/fsck.te
index 8c1aaf361e0c94b0d499ce01c4fab3a799211395..e90a49e9b75de2008e05dfaa566b07cdbf94752f 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,5 +1,5 @@
 # Any fsck program run by init
-type fsck, domain;
+type fsck, domain, domain_deprecated;
 type fsck_exec, exec_type, file_type;
 
 init_daemon_domain(fsck)
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 67c67b762705e863a5688d24b0000236c18e3d8c..4f01db2150b2e434b3f8f14e1cc6d50801978c42 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -1,5 +1,5 @@
 # Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
+type fsck_untrusted, domain, domain_deprecated;
 
 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/gatekeeperd.te b/gatekeeperd.te
index ca540c68fc8d054076fe1f15c2ed82b80aaa4d51..81d7fdf6da2afd2c92a93730ad145f2dbe666f93 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -1,4 +1,4 @@
-type gatekeeperd, domain;
+type gatekeeperd, domain, domain_deprecated;
 type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
diff --git a/gpsd.te b/gpsd.te
index 4b22223142825d9ee7345752422737f719b1a9ec..07e0feb6d8ecac830005a0644bbc4acaa163add1 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,5 +1,5 @@
 # gpsd - GPS daemon
-type gpsd, domain;
+type gpsd, domain, domain_deprecated;
 type gpsd_exec, exec_type, file_type;
 
 init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 3cb0953e545835b3c64ff52de0f724e1b8e010f9..543cae1a0096846f3a6f37312ade7d8b4bc3b98a 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,4 +1,4 @@
-type hci_attach, domain;
+type hci_attach, domain, domain_deprecated;
 type hci_attach_exec, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
diff --git a/healthd.te b/healthd.te
index cd5429be129f61b2f227f1452efbcbdff7296c97..48be64d99f612e76d6301b5c811f23f257775887 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,6 +1,6 @@
 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type healthd, domain;
+type healthd, domain, domain_deprecated;
 
 # Write to /dev/kmsg
 allow healthd kmsg_device:chr_file rw_file_perms;
diff --git a/hostapd.te b/hostapd.te
index 11145de93a668730aed07ca3020752047de59074..858c28645326a4bc74ac0aa2ebdce890f8afac67 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -1,5 +1,5 @@
 # userspace wifi access points
-type hostapd, domain;
+type hostapd, domain, domain_deprecated;
 type hostapd_exec, exec_type, file_type;
 
 net_domain(hostapd)
diff --git a/idmap.te b/idmap.te
index 1ab497ee07d8755d93cc83a5aa38358d2de2d93c..c1b4d0fd8d5ad000f84eb991bcac08403688e2de 100644
--- a/idmap.te
+++ b/idmap.te
@@ -1,5 +1,5 @@
 # idmap, when executed by installd
-type idmap, domain;
+type idmap, domain, domain_deprecated;
 type idmap_exec, exec_type, file_type;
 
 # Use open file to /data/resource-cache file inherited from installd.
diff --git a/init.te b/init.te
index 1f33a97816fce0a8ea705c2b9e572de3ebe2b796..e6c782584caeca032d72c4ff324da6795f9f5c6c 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,5 @@
 # init is its own domain.
-type init, domain, mlstrustedsubject;
+type init, domain, domain_deprecated, mlstrustedsubject;
 tmpfs_domain(init)
 
 # The init domain is entered by execing init.
diff --git a/inputflinger.te b/inputflinger.te
index 11a60a65e4c0e850e1ea7d5596346dda64384911..324f3f6cfdc87c26cc0720a79b58a7054c6cc0f4 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -1,5 +1,5 @@
 # inputflinger
-type inputflinger, domain;
+type inputflinger, domain, domain_deprecated;
 type inputflinger_exec, exec_type, file_type;
 
 init_daemon_domain(inputflinger)
diff --git a/install_recovery.te b/install_recovery.te
index 9bef3bb5ab6ca9a38e50af2b79853c60320f4d50..b11ff7497a4c7362522212aa2c4f1925aa10e502 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -1,5 +1,5 @@
 # service flash_recovery in init.rc
-type install_recovery, domain;
+type install_recovery, domain, domain_deprecated;
 type install_recovery_exec, exec_type, file_type;
 
 init_daemon_domain(install_recovery)
diff --git a/installd.te b/installd.te
index 3b4d56aa4598c10969ee12d70af52d10f7fb2c16..a8cb8d459f8d603c2bf503da807ca758e1971b86 100644
--- a/installd.te
+++ b/installd.te
@@ -1,5 +1,5 @@
 # installer daemon
-type installd, domain;
+type installd, domain, domain_deprecated;
 type installd_exec, exec_type, file_type;
 
 init_daemon_domain(installd)
diff --git a/isolated_app.te b/isolated_app.te
index f40527316b746a8d38d0aa217be0d67fb7c6413e..2cf5578953386ce4f59dff4dfe4a568d2a742730 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -9,7 +9,7 @@
 ### additional following rules:
 ###
 
-type isolated_app, domain;
+type isolated_app, domain, domain_deprecated;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
diff --git a/kernel.te b/kernel.te
index 31da2af2761e5927f24394231e9cdda0dc8af024..ed6b7ba0ad6450e99e26a90a5ded534f4c3304c1 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,5 +1,5 @@
 # Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
+type kernel, domain, domain_deprecated, mlstrustedsubject;
 
 allow kernel self:capability sys_nice;
 
diff --git a/keystore.te b/keystore.te
index 83a0e853990d395b013323890ef7b1ce90941fd5..e2338dbecc0bd311fc3fd14b348216a179620928 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain;
+type keystore, domain, domain_deprecated;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
diff --git a/lmkd.te b/lmkd.te
index 3243ddb5f31937f589d0df6d10872456880c542f..0d641ca7c810261a413d6bd19657cd448baa9681 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -1,5 +1,5 @@
 # lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
+type lmkd, domain, domain_deprecated, mlstrustedsubject;
 type lmkd_exec, exec_type, file_type;
 
 init_daemon_domain(lmkd)
diff --git a/logd.te b/logd.te
index 56d0d2a71b1f07f49d2f9a08874acf6a047e7237..ab09bf50d8e0e20cc50a7c3e60ae359c61ed4c9d 100644
--- a/logd.te
+++ b/logd.te
@@ -1,5 +1,5 @@
 # android user-space log manager
-type logd, domain, mlstrustedsubject;
+type logd, domain, domain_deprecated, mlstrustedsubject;
 type logd_exec, exec_type, file_type;
 
 init_daemon_domain(logd)
diff --git a/mdnsd.te b/mdnsd.te
index e5fe1e25866b06279b983ff9cacc5392b446da10..43ef26751e6194116c0e6652eac888a4a20969d9 100644
--- a/mdnsd.te
+++ b/mdnsd.te
@@ -1,5 +1,5 @@
 # mdns daemon
-type mdnsd, domain, mlstrustedsubject;
+type mdnsd, domain, domain_deprecated, mlstrustedsubject;
 type mdnsd_exec, exec_type, file_type;
 
 init_daemon_domain(mdnsd)
diff --git a/mediaserver.te b/mediaserver.te
index 9ced4d37a97a5a610b945af0f3bc08c8ee26ae7c..714e55d42dba642acb32b312e2ace9b22175239a 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,5 @@
 # mediaserver - multimedia daemon
-type mediaserver, domain;
+type mediaserver, domain, domain_deprecated;
 type mediaserver_exec, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
diff --git a/mtp.te b/mtp.te
index dd766749183a836ca7dada28dffd4fb012ac43bb..9677abd19a32a187ed39114c2d095abecd416156 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,5 +1,5 @@
 # vpn tunneling protocol manager
-type mtp, domain;
+type mtp, domain, domain_deprecated;
 type mtp_exec, exec_type, file_type;
 
 init_daemon_domain(mtp)
diff --git a/netd.te b/netd.te
index 81d76c37ed2a1a16e9932eca2103607f14c2678b..564e91ec0da12b7bc6f88f248a2c6b2fa2d7d5cf 100644
--- a/netd.te
+++ b/netd.te
@@ -1,5 +1,5 @@
 # network manager
-type netd, domain, mlstrustedsubject;
+type netd, domain, domain_deprecated, mlstrustedsubject;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
diff --git a/nfc.te b/nfc.te
index 882725f5948c49d63513edeac29034c36b587b75..e648863ec46f2bd932f760f148f2a67def673601 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,5 @@
 # nfc subsystem
-type nfc, domain;
+type nfc, domain, domain_deprecated;
 app_domain(nfc)
 net_domain(nfc)
 binder_service(nfc)
diff --git a/perfprofd.te b/perfprofd.te
index bce990d437733ae2f799c04375face5966a76b62..f76d9919a1605c2861164178b13c2073ad539e27 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -3,7 +3,7 @@ type perfprofd_exec, exec_type, file_type;
 
 userdebug_or_eng(`
 
-  type perfprofd, domain, mlstrustedsubject;
+  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
 
   init_daemon_domain(perfprofd)
 
diff --git a/platform_app.te b/platform_app.te
index f65548bd2f20075afcbb440fc386047a33d59ff9..ed28c76948d6df0df460c9dfee8a1b95c2589b0f 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -2,7 +2,7 @@
 ### Apps signed with the platform key.
 ###
 
-type platform_app, domain;
+type platform_app, domain, domain_deprecated;
 app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
diff --git a/ppp.te b/ppp.te
index c9b27af55360c1459815709180c675dc5bb37d1d..58b640ae5079dc6b1f55bc7f063d840884c8bd4d 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,5 +1,5 @@
 # Point to Point Protocol daemon
-type ppp, domain;
+type ppp, domain, domain_deprecated;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/priv_app.te b/priv_app.te
index 79b059d1de95c406a695c707eca751f8c2e5a409..ca587b827c63ca3ce187b60dbd14e922aea59d4c 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -1,7 +1,7 @@
 ###
 ### A domain for further sandboxing privileged apps.
 ###
-type priv_app, domain;
+type priv_app, domain, domain_deprecated;
 app_domain(priv_app)
 # Access the network.
 net_domain(priv_app)
diff --git a/racoon.te b/racoon.te
index 6447a3dbc84e027deb5af3747943b2edfb5694e8..1a2e54659bf2e96cbc686590009acbb045e14268 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,5 @@
 # IKE key management daemon
-type racoon, domain;
+type racoon, domain, domain_deprecated;
 type racoon_exec, exec_type, file_type;
 
 init_daemon_domain(racoon)
diff --git a/radio.te b/radio.te
index a01a113769ab03b44897176ba7bb6af4fdf73a26..448fdb5be8520a0af4a30d3bd819d343fdc03298 100644
--- a/radio.te
+++ b/radio.te
@@ -1,5 +1,5 @@
 # phone subsystem
-type radio, domain, mlstrustedsubject;
+type radio, domain, domain_deprecated, mlstrustedsubject;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
diff --git a/recovery.te b/recovery.te
index d5f6c6beec4f95840b39cc27c833914ce9a00ce5..b4eb2851222d4a1136fe56cd3d5e3b730ebada11 100644
--- a/recovery.te
+++ b/recovery.te
@@ -2,7 +2,7 @@
 
 # Declare the domain unconditionally so we can always reference it
 # in neverallow rules.
-type recovery, domain;
+type recovery, domain, domain_deprecated;
 
 # But the allow rules are only included in the recovery policy.
 # Otherwise recovery is only allowed the domain rules.
diff --git a/rild.te b/rild.te
index ea0e4eddd9cc4ea5c0aa1b82b7dbcce19e551946..bcf31d6ad8209d010c691bdb3f7369ec7cab9ee5 100644
--- a/rild.te
+++ b/rild.te
@@ -1,5 +1,5 @@
 # rild - radio interface layer daemon
-type rild, domain;
+type rild, domain, domain_deprecated;
 type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
diff --git a/runas.te b/runas.te
index e51515d9893c208a723d03bae0afb1006c7680ed..4fa686a2fd40337a88baa14269e1d9bbb88e2aa4 100644
--- a/runas.te
+++ b/runas.te
@@ -1,4 +1,4 @@
-type runas, domain, mlstrustedsubject;
+type runas, domain, domain_deprecated, mlstrustedsubject;
 type runas_exec, exec_type, file_type;
 
 # ndk-gdb invokes adb shell run-as.
diff --git a/sdcardd.te b/sdcardd.te
index a6648200e7c7650d34ce2aca05a5418c0f8bca9f..056e9f829877e896169b0c2f3c7f11c7da69b926 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain;
+type sdcardd, domain, domain_deprecated;
 type sdcardd_exec, exec_type, file_type;
 
 allow sdcardd cgroup:dir create_dir_perms;
diff --git a/servicemanager.te b/servicemanager.te
index 9947aa7d0f9e33412245ba97a14feb15e22782bf..84605d1acc6247d5c6f596927801a37fd1f095f4 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,5 +1,5 @@
 # servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
+type servicemanager, domain, domain_deprecated, mlstrustedsubject;
 type servicemanager_exec, exec_type, file_type;
 
 init_daemon_domain(servicemanager)
diff --git a/sgdisk.te b/sgdisk.te
index 8a689a1133d4398f3d3c362b4f069dff2539f3c3..b8d6b3ffc321959567fb968631d74d2ca1585fff 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -1,5 +1,5 @@
 # sgdisk called from vold
-type sgdisk, domain;
+type sgdisk, domain, domain_deprecated;
 type sgdisk_exec, exec_type, file_type;
 
 # Allowed to read/write low-level partition tables
diff --git a/shared_relro.te b/shared_relro.te
index 6a1dfd4242dc197c1b308454fad86c9b413f0929..30af14a08b564aed22184f097330128f6fda240b 100644
--- a/shared_relro.te
+++ b/shared_relro.te
@@ -1,5 +1,5 @@
 # Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
+type shared_relro, domain, domain_deprecated;
 
 # The shared relro process is a Java program forked from the zygote, so it
 # inherits from app to get basic permissions it needs to run.
diff --git a/shell.te b/shell.te
index 32ca20dbf1936834b386242c14ab604de48a3867..3d2bb5be217e6702d8ac231673589d943177506c 100644
--- a/shell.te
+++ b/shell.te
@@ -1,5 +1,5 @@
 # Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
+type shell, domain, domain_deprecated, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
 
 # Create and use network sockets.
diff --git a/slideshow.te b/slideshow.te
index 86d4bff2e32746b180a43f2b0d44924acfb1819d..3165a65404a16d71145eeeab553d1c5aa609ae7b 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -1,6 +1,6 @@
 # slideshow seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type slideshow, domain;
+type slideshow, domain, domain_deprecated;
 
 allow slideshow kmsg_device:chr_file rw_file_perms;
 wakelock_use(slideshow)
diff --git a/su.te b/su.te
index 6c4c11504d5a3b393163cee4cfa3b4db927d7f0b..38e3b0d53f4a60733a882e65eb69fc850b0718f5 100644
--- a/su.te
+++ b/su.te
@@ -5,7 +5,7 @@ userdebug_or_eng(`
   # Domain used for su processes, as well as for adbd and adb shell
   # after performing an adb root command.  The domain definition is
   # wrapped to ensure that it does not exist at all on -user builds.
-  type su, domain, mlstrustedsubject;
+  type su, domain, domain_deprecated, mlstrustedsubject;
   domain_auto_trans(shell, su_exec, su)
 
   # Allow dumpstate to call su on userdebug / eng builds to collect
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 26a4e48cf719401822eeacdb98ed752064df5f3b..5d1199dd63c66c5b8a55ec4bc11e43fb4444fe2c 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,5 +1,5 @@
 # surfaceflinger - display compositor service
-type surfaceflinger, domain;
+type surfaceflinger, domain, domain_deprecated;
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
diff --git a/system_app.te b/system_app.te
index 08e3f5cc5a4f2654676ef85309ee2f2735089b9f..de9146c5e2afef79d774c347657bff3290c2e6e3 100644
--- a/system_app.te
+++ b/system_app.te
@@ -3,7 +3,7 @@
 # com.android.settings.  These are not as privileged as the system
 # server.
 #
-type system_app, domain;
+type system_app, domain, domain_deprecated;
 app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
diff --git a/system_server.te b/system_server.te
index e63cd52de1430458ece4916df1a33671f518ee58..99ca95aeaa109062859a40dcd775dbec63e18acb 100644
--- a/system_server.te
+++ b/system_server.te
@@ -2,7 +2,7 @@
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
 #
-type system_server, domain, mlstrustedsubject;
+type system_server, domain, domain_deprecated, mlstrustedsubject;
 
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)
diff --git a/tee.te b/tee.te
index 7cf6ecd8d37d062a65262412f0956fee235cf74d..ab625dea954906a9165fec2e6b43fcbada59791d 100644
--- a/tee.te
+++ b/tee.te
@@ -1,7 +1,7 @@
 ##
 # trusted execution environment (tee) daemon
 #
-type tee, domain;
+type tee, domain, domain_deprecated;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
diff --git a/toolbox.te b/toolbox.te
index 43411024cbf4a6f933f4533d4c7d48a299f18976..d2f969ff8046214ff0c67193bc9e55410e7ed01d 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -1,7 +1,7 @@
 # Any toolbox command run by init.
 # At present, the only known usage is for running mkswap via fs_mgr.
 # Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain;
+type toolbox, domain, domain_deprecated;
 type toolbox_exec, exec_type, file_type;
 
 init_daemon_domain(toolbox)
diff --git a/tzdatacheck.te b/tzdatacheck.te
index a95dc0d2a3f5f0f52a4d7ca8eb739e838e4503b1..f61cb471632586ce4fbbd3cf672747525ed977be 100644
--- a/tzdatacheck.te
+++ b/tzdatacheck.te
@@ -1,5 +1,5 @@
 # The tzdatacheck command run by init.
-type tzdatacheck, domain;
+type tzdatacheck, domain, domain_deprecated;
 type tzdatacheck_exec, exec_type, file_type;
 
 init_daemon_domain(tzdatacheck)
diff --git a/ueventd.te b/ueventd.te
index f4884d70345aad4c0861618862c825819f74d555..04a18a303db0babe5b3455ac6ce7389d40f533d7 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -1,6 +1,6 @@
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type ueventd, domain;
+type ueventd, domain, domain_deprecated;
 tmpfs_domain(ueventd)
 
 # TODO: why is ueventd using __kmsg__ when it should just create
diff --git a/uncrypt.te b/uncrypt.te
index 93f5a274f5eb36356d603fe2187d957812a62392..7608538c3c2899ce822d978998eb89bd17da29ad 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -1,5 +1,5 @@
 # uncrypt
-type uncrypt, domain, mlstrustedsubject;
+type uncrypt, domain, domain_deprecated, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;
 
 init_daemon_domain(uncrypt)
diff --git a/untrusted_app.te b/untrusted_app.te
index fa7152f72d310a0d74180e61a94ad77cee259baf..0af8642f729847a73230f7abf7baeda824729e99 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -20,7 +20,7 @@
 ### additional following rules:
 ###
 
-type untrusted_app, domain;
+type untrusted_app, domain, domain_deprecated;
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
diff --git a/update_engine.te b/update_engine.te
index 88b0b722f6ed57bbde596a2a7bfca0a944bf6eb2..839d6b7110736dfb3fce6e3e9df00644a02087b7 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -1,5 +1,5 @@
 # Domain for update_engine daemon.
-type update_engine, domain;
+type update_engine, domain, domain_deprecated;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
diff --git a/vdc.te b/vdc.te
index 8b6a93a4910ce93856443c3695965dec00a9f9f9..54789659e295761413e45b9f4b96502b1b5837ea 100644
--- a/vdc.te
+++ b/vdc.te
@@ -5,7 +5,7 @@
 # We also transition into this domain from dumpstate, when
 # collecting bug reports.
 
-type vdc, domain;
+type vdc, domain, domain_deprecated;
 type vdc_exec, exec_type, file_type;
 
 init_daemon_domain(vdc)
diff --git a/vold.te b/vold.te
index 5ecb5033fe12cbbc059ec016d765e78cffe632c1..c8952af02cd09dc3e2c63b17dcced412b521924d 100644
--- a/vold.te
+++ b/vold.te
@@ -1,5 +1,5 @@
 # volume manager
-type vold, domain;
+type vold, domain, domain_deprecated;
 type vold_exec, exec_type, file_type;
 
 init_daemon_domain(vold)
diff --git a/watchdogd.te b/watchdogd.te
index 00292a9a9914311711ad4ab7e785a89134659b20..4077386f0246731a5299fb0821a8ed5c0287ce63 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,4 +1,4 @@
 # watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
+type watchdogd, domain, domain_deprecated;
 allow watchdogd watchdog_device:chr_file rw_file_perms;
 allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/wpa.te b/wpa.te
index d6fae63909f4d6a612b770af803d923cab36d802..a562fb75b6ec0b2e8d4119635871504d206fac32 100644
--- a/wpa.te
+++ b/wpa.te
@@ -1,5 +1,5 @@
 # wpa - wpa supplicant or equivalent
-type wpa, domain;
+type wpa, domain, domain_deprecated;
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)
diff --git a/zygote.te b/zygote.te
index 139df85ded2398047ba2035dfbc4afe8f68873a7..d7a8a997a578b905753fd1e2be127cb83eeb8d89 100644
--- a/zygote.te
+++ b/zygote.te
@@ -1,5 +1,5 @@
 # zygote
-type zygote, domain;
+type zygote, domain, domain_deprecated;
 type zygote_exec, exec_type, file_type;
 
 init_daemon_domain(zygote)