diff --git a/dnsmasq.te b/dnsmasq.te
new file mode 100644
index 0000000000000000000000000000000000000000..ff81367984383dfefcd59831ba6a33560406a3b6
--- /dev/null
+++ b/dnsmasq.te
@@ -0,0 +1,7 @@
+type dnsmasq, domain;
+permissive dnsmasq;
+type dnsmasq_exec, exec_type, file_type;
+
+init_daemon_domain(dnsmasq)
+net_domain(dnsmasq)
+unconfined_domain(dnsmasq)
diff --git a/domain.te b/domain.te
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..a4a06d554d5f4b37adc004440dacf8e221597df6 100644
--- a/domain.te
+++ b/domain.te
@@ -0,0 +1,122 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file { read getattr };
+
+# Search /storage/emulated tmpfs mount.
+allow domain tmpfs:dir r_dir_perms;
+
+# binder adjusts the nice value during IPC.
+allow domain self:capability sys_nice;
+
+# Intra-domain accesses.
+allow domain self:process ~{ execstack execheap };
+allow domain self:fd use;
+allow domain self:dir r_dir_perms;
+allow domain self:lnk_file r_file_perms;
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+allow domain system:fd use;
+
+# Connect to adbd and use a socket transferred from it.
+allow domain adbd:unix_stream_socket connectto;
+allow domain adbd:fd use;
+allow domain adbd:unix_stream_socket { getattr read write shutdown };
+
+# Talk to debuggerd.
+allow domain debuggerd:process sigchld;
+allow domain debuggerd:unix_stream_socket connectto;
+
+# Root fs.
+allow domain rootfs:dir r_dir_perms;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file read;
+allow domain devpts:dir search;
+allow domain device:file read;
+allow domain socket_device:dir search;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file r_file_perms;
+allow domain ashmem_device:chr_file rw_file_perms;
+allow domain binder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain powervr_device:chr_file rw_file_perms;
+allow domain log_device:dir search;
+allow domain log_device:chr_file rw_file_perms;
+allow domain nv_device:chr_file rw_file_perms;
+allow domain alarm_device:chr_file r_file_perms;
+allow domain urandom_device:chr_file r_file_perms;
+allow domain random_device:chr_file r_file_perms;
+allow domain properties_device:file r_file_perms;
+
+# Filesystem accesses.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# System file accesses.
+allow domain system_file:dir r_dir_perms;
+allow domain system_file:file r_file_perms;
+allow domain system_file:file execute;
+allow domain system_file:lnk_file read;
+
+# Read files already opened under /data.
+allow domain system_data_file:dir { search getattr };
+allow domain system_data_file:file { getattr read };
+allow domain system_data_file:lnk_file read;
+
+# Read apk files under /data/app.
+allow domain apk_data_file:dir search;
+allow domain apk_data_file:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow domain dalvikcache_data_file:dir { search getattr };
+allow domain dalvikcache_data_file:file r_file_perms;
+
+# Read already opened /cache files.
+allow domain cache_file:dir r_dir_perms;
+allow domain cache_file:file { getattr read };
+allow domain cache_file:lnk_file read;
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
+#Allow access to ion memory allocation device
+allow domain ion_device:chr_file rw_file_perms;
+
+# For /sys/qemu_trace files in the emulator.
+bool in_qemu false;
+if (in_qemu) {
+allow domain sysfs:file rw_file_perms;
+}
+allow domain sysfs_writable:file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(domain, proc)
+r_dir_file(domain, sysfs)
+r_dir_file(domain, inotify)
+r_dir_file(domain, cgroup)
+
+# debugfs access
+bool debugfs false;
+if (debugfs) {
+allow domain debugfs:dir r_dir_perms;
+allow domain debugfs:file rw_file_perms;
+} else {
+dontaudit domain debugfs:dir r_dir_perms;
+dontaudit domain debugfs:file  rw_file_perms;
+}
+
+# security files
+allow domain security_file:dir { search getattr };
+allow domain security_file:file getattr;
diff --git a/file_contexts b/file_contexts
index 766bf5999edfa1011dcd8a51410063c2ed0895ce..00ca3b1b5986676168dffab335fdd30923454ac0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -150,6 +150,8 @@
 /system/xbin/su		u:object_r:su_exec:s0
 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
 /system/bin/ping    u:object_r:ping_exec:s0
+/system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
+/system/bin/hostapd     u:object_r:hostapd_exec:s0
 #############################
 # Vendor files
 #
diff --git a/hostapd.te b/hostapd.te
new file mode 100644
index 0000000000000000000000000000000000000000..f13b2e0226bad9515da8acf3dfd6d0f51d9071ca
--- /dev/null
+++ b/hostapd.te
@@ -0,0 +1,7 @@
+type hostapd, domain;
+permissive hostapd;
+type hostapd_exec, exec_type, file_type;
+
+init_daemon_domain(hostapd)
+net_domain(hostapd)
+unconfined_domain(hostapd)
diff --git a/netd.te b/netd.te
index 6f294edb4597afc6dca1856cff2acee4b572e908..3726ec4a1c12a49458434330bf27963ceee0efa0 100644
--- a/netd.te
+++ b/netd.te
@@ -2,7 +2,49 @@
 type netd, domain;
 type netd_exec, exec_type, file_type;
 
-permissive netd;
-unconfined_domain(netd)
 init_daemon_domain(netd)
+typeattribute netd mlstrustedsubject;
+allow netd self:capability { net_admin net_raw kill };
+allow netd self:netlink_kobject_uevent_socket *;
+allow netd self:netlink_route_socket *;
+allow netd self:netlink_nflog_socket *;
+allow netd self:rawip_socket *;
+allow netd self:udp_socket *;
+allow netd node:udp_socket node_bind;
+allow netd port:udp_socket name_bind;
+allow netd self:unix_stream_socket *;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+allow netd devpts:chr_file rw_file_perms;
+
+# For /proc/sys/net/ipv[46]/route/flush.
+# XXX Split /proc/sys/net into its own type.
+allow netd proc:file write;
+
+# For /sys/modules/bcmdhd/parameters/firmware_path
+# XXX Split into its own type.
+allow netd sysfs:file write;
+
+# Set dhcp lease for PAN connection
+unix_socket_connect(netd, property, init)
+allow netd system_prop:property_service set;
+
+# Connect to PAN
 domain_auto_trans(netd, dhcp_exec, dhcp)
+allow netd dhcp:process signal;
+
+# Needed to update /data/misc/wifi/hostapd.conf
+# TODO: See what we can do to reduce the need for
+# these capabilities
+allow netd self:capability { dac_override chown fowner };
+allow netd wifi_data_file:file create_file_perms;
+allow netd wifi_data_file:dir rw_dir_perms;
+
+# Allow netd to spawn hostapd in it's own domain
+domain_auto_trans(netd, hostapd_exec, hostapd)
+allow netd hostapd:process signal;
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+allow netd dnsmasq:process signal;
+