diff --git a/BoardConfig.mk b/BoardConfig.mk
index a77a6533200647fb31de500bfbae62533bea6b92..139f6f8c147e22cc99af613b26e39778f5b40688 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -49,8 +49,9 @@ TARGET_HAS_NO_WLAN_STATS := true
 ENABLE_VENDOR_RIL_SERVICE := true
 
 # SELinux
-BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy-mods/vendor
 BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(DEVICE_PATH)/sepolicy-mods/private
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(DEVICE_PATH)/sepolicy-mods/public
+BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy-mods/vendor
 
 # inherit from the proprietary version
 -include vendor/motorola/beckham/BoardConfigVendor.mk
diff --git a/sepolicy-mods/private/mods_app.te b/sepolicy-mods/private/mods_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..d641e9fbc2f78bcbd943c041d003157ccb3967ee
--- /dev/null
+++ b/sepolicy-mods/private/mods_app.te
@@ -0,0 +1,11 @@
+# ModService
+typeattribute mods_app coredomain;
+
+app_domain(mods_app)
+net_domain(mods_app)
+
+allow mods_app {
+    app_api_service
+    system_api_service
+}:service_manager find;
+
diff --git a/sepolicy-mods/private/platform_app.te b/sepolicy-mods/private/platform_app.te
deleted file mode 100644
index d0dd995132cadf758403ca465f369c635c973d47..0000000000000000000000000000000000000000
--- a/sepolicy-mods/private/platform_app.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow platform_app mods_service:service_manager find;
-allow platform_app mods_service:service_manager add;
-
diff --git a/sepolicy-mods/private/seapp_contexts b/sepolicy-mods/private/seapp_contexts
new file mode 100644
index 0000000000000000000000000000000000000000..eee7b55bb62fab228f21c201113240a387f0efd3
--- /dev/null
+++ b/sepolicy-mods/private/seapp_contexts
@@ -0,0 +1,2 @@
+# ModService
+user=_app isPrivApp=true seinfo=platform name=com.motorola.modservice domain=mods_app type=app_data_file levelFrom=user
diff --git a/sepolicy-mods/public/mods_app.te b/sepolicy-mods/public/mods_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..5bb43fa9f20bb1c24450c323625dd38e8bc4425e
--- /dev/null
+++ b/sepolicy-mods/public/mods_app.te
@@ -0,0 +1 @@
+type mods_app, domain, mlstrustedsubject;
diff --git a/sepolicy-mods/private/service.te b/sepolicy-mods/public/service.te
similarity index 100%
rename from sepolicy-mods/private/service.te
rename to sepolicy-mods/public/service.te
diff --git a/sepolicy-mods/private/cameraserver.te b/sepolicy-mods/vendor/cameraserver.te
similarity index 100%
rename from sepolicy-mods/private/cameraserver.te
rename to sepolicy-mods/vendor/cameraserver.te
diff --git a/sepolicy-mods/vendor/file_contexts b/sepolicy-mods/vendor/file_contexts
index 12eaf21b63562363fb06c4693046b6373c72049b..919bc8febaa083cdd5bb37e334019bb568e3312f 100644
--- a/sepolicy-mods/vendor/file_contexts
+++ b/sepolicy-mods/vendor/file_contexts
@@ -1,5 +1,6 @@
-/(vendor|system/vendor)/bin/init\.gbmods\.sh                u:object_r:init-gbmods-sh_exec:s0
-/(vendor|system/vendor)/bin/mods_camd                       u:object_r:mods_exec:s0
+/(vendor|system/vendor)/bin/init\.gbmods\.sh                u:object_r:init_mods_exec:s0
+/(vendor|system/vendor)/bin/mods_camd                       u:object_r:mods_camd_exec:s0
+/(vendor|system/vendor)/lib(64)?/libmodmanager\.so          u:object_r:same_process_hal_file:s0
 
 # Greybus (Mods)
 /data/gbfirmware(/.*)?                                      u:object_r:gbfirmware_file:s0
diff --git a/sepolicy-mods/vendor/hal_camera_default.te b/sepolicy-mods/vendor/hal_camera_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..b6ed90fe546d538c84fb8c61e5e7acda017f57f5
--- /dev/null
+++ b/sepolicy-mods/vendor/hal_camera_default.te
@@ -0,0 +1,2 @@
+allow hal_camera_default sysfs_mods_camd:dir r_dir_perms;
+allow hal_camera_default sysfs_mods_camd:file r_file_perms;
diff --git a/sepolicy-mods/vendor/hal_graphics_composer_default.te b/sepolicy-mods/vendor/hal_graphics_composer_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..7b5a0414fdc3044ba644644cf34bf789b21acfcf
--- /dev/null
+++ b/sepolicy-mods/vendor/hal_graphics_composer_default.te
@@ -0,0 +1,2 @@
+allow hal_graphics_composer_default sysfs_mods_camd:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_mods_camd:file r_file_perms;
diff --git a/sepolicy-mods/vendor/hwservice.te b/sepolicy-mods/vendor/hwservice.te
new file mode 100644
index 0000000000000000000000000000000000000000..e118393575b14a91a31425a630566e6d8019b4a7
--- /dev/null
+++ b/sepolicy-mods/vendor/hwservice.te
@@ -0,0 +1,2 @@
+type hal_modmanager_hwservice, hwservice_manager_type;
+
diff --git a/sepolicy-mods/vendor/hwservice_contexts b/sepolicy-mods/vendor/hwservice_contexts
new file mode 100644
index 0000000000000000000000000000000000000000..1b0816735050e305e654e3815daf8d25fc478677
--- /dev/null
+++ b/sepolicy-mods/vendor/hwservice_contexts
@@ -0,0 +1,2 @@
+com.motorola.mod::IModManager                               u:object_r:hal_modmanager_hwservice:s0
+
diff --git a/sepolicy-mods/vendor/init_gbmods.te b/sepolicy-mods/vendor/init_gbmods.te
deleted file mode 100644
index c556cb50c976ae00043a806eeb3c47922bdb7f34..0000000000000000000000000000000000000000
--- a/sepolicy-mods/vendor/init_gbmods.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type init-gbmods-sh, domain;
-type init-gbmods-sh_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(init-gbmods-sh)
-
-allow init-gbmods-sh vendor_shell_exec:file rx_file_perms;
-allow init-gbmods-sh vendor_toolbox_exec:file rx_file_perms;
-
-# execute grep
-allow init-gbmods-sh vendor_file:file rx_file_perms;
-
-# Allow insmod
-allow init-gbmods-sh self:capability sys_module;
-allow init-gbmods-sh vendor_file:system module_load;
-
-set_prop(init-gbmods-sh, ctl_default_prop)
diff --git a/sepolicy-mods/vendor/init_mods.te b/sepolicy-mods/vendor/init_mods.te
new file mode 100644
index 0000000000000000000000000000000000000000..043f56a1fe8da15d41053a458ab61cadf8cfb14d
--- /dev/null
+++ b/sepolicy-mods/vendor/init_mods.te
@@ -0,0 +1,22 @@
+type init_mods, domain;
+type init_mods_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_mods)
+
+allow init_mods sysfs_greybus:dir r_dir_perms;
+allow init_mods sysfs_greybus:{ file lnk_file } rw_file_perms;
+allow init_mods vendor_file:file execute_no_trans;
+allow init_mods vendor_shell_exec:file r_file_perms;
+allow init_mods vendor_toolbox_exec:file rx_file_perms;
+
+# execute grep
+allow init_mods vendor_file:file execute_no_trans;
+
+# Allow insmod
+allow init_mods kernel:key search;
+allow init_mods self:capability sys_module;
+allow init_mods vendor_file:dir r_dir_perms;
+allow init_mods vendor_file:system module_load;
+
+set_prop(init_mods, ctl_default_prop)
+
diff --git a/sepolicy-mods/vendor/mods.te b/sepolicy-mods/vendor/mods.te
deleted file mode 100644
index 719b637188153f8d8e27f8ec27a8fa331d3f7bcf..0000000000000000000000000000000000000000
--- a/sepolicy-mods/vendor/mods.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type mods, domain;
-type mods_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(mods)
-
-allow mods video_device:{ chr_file file } rw_file_perms;
-allow mods self:netlink_kobject_uevent_socket { bind create read setopt };
-allow mods sysfs_graphics:file rw_file_perms;
-allow mods ion_device:chr_file { open read };
-allow mods sysfs_graphics:dir search;
-allow mods sysfs_mods_camd:file r_file_perms;
-allow mods sysfs_greybus:dir r_dir_perms;
-allow mods sysfs_greybus:file rw_file_perms;
-
diff --git a/sepolicy-mods/vendor/mods_app.te b/sepolicy-mods/vendor/mods_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..44672ea508101e062895fe99e91a8c60083d8145
--- /dev/null
+++ b/sepolicy-mods/vendor/mods_app.te
@@ -0,0 +1,29 @@
+allow mods_app ion_device:chr_file { open read };
+allow mods_app self:netlink_kobject_uevent_socket { bind create read setopt };
+
+allow mods_app gbfirmware_file:dir create_dir_perms;
+allow mods_app gbfirmware_file:file create_file_perms;
+allow mods_app greybus_raw_device:chr_file open;
+
+allow mods_app audioserver_service:service_manager find;
+allow mods_app cameraserver_service:service_manager find;
+allow mods_app mods_service:service_manager find;
+allow mods_app mods_service:service_manager add;
+allow mods_app radio_service:service_manager find;
+
+allow mods_app sysfs_battery_supply:dir r_dir_perms;
+allow mods_app sysfs_battery_supply:{ file lnk_file } r_file_perms;
+allow mods_app sysfs_graphics:dir search;
+allow mods_app sysfs_graphics:file rw_file_perms;
+allow mods_app sysfs_greybus:dir r_dir_perms;
+allow mods_app sysfs_greybus:{ file lnk_file } rw_file_perms;
+allow mods_app sysfs_mods_camd:dir r_dir_perms;
+allow mods_app sysfs_mods_camd:file rw_file_perms;
+allow mods_app sysfs_thermal:dir r_dir_perms;
+allow mods_app sysfs_thermal:{ file lnk_file } r_file_perms;
+allow mods_app sysfs_usb_supply:dir r_dir_perms;
+allow mods_app sysfs_usb_supply:{ file lnk_file} r_file_perms;
+
+allow mods_app mods_camd_device:chr_file rw_file_perms;
+
+get_prop(mods_app, moto_boot_prop)
diff --git a/sepolicy-mods/vendor/mods_camd.te b/sepolicy-mods/vendor/mods_camd.te
index 9a885a65f108e25e155a4f2e8126f184ab3a7bd8..4f0c85546f00f2867bd2bcd6adb88b4921b19dab 100644
--- a/sepolicy-mods/vendor/mods_camd.te
+++ b/sepolicy-mods/vendor/mods_camd.te
@@ -8,10 +8,9 @@ allow mods_camd video_device:chr_file rw_file_perms;
 allow mods_camd self:netlink_kobject_uevent_socket { bind create read setopt };
 allow mods_camd sysfs_mods_camd:file rw_file_perms;
 allow mods_camd sysfs_mods_camd:dir r_dir_perms;
-allow mods_camd sysfs:file { getattr read write };
 allow mods_camd sysfs:file { getattr open read write };
 
-allow mods_camd mods_camd_device:chr_file {getattr ioctl open read write };
+allow mods_camd mods_camd_device:chr_file rw_file_perms;
 
 allow mods_camd sysfs_greybus:file rw_file_perms;
 allow mods_camd sysfs_greybus:dir r_dir_perms;
diff --git a/sepolicy-mods/vendor/platform_app.te b/sepolicy-mods/vendor/platform_app.te
index 048e205c47c7f7bd304afcab46a64de5c53436d4..14b1ccd3f1dc2fa6e74bb40c906082f57da681d6 100644
--- a/sepolicy-mods/vendor/platform_app.te
+++ b/sepolicy-mods/vendor/platform_app.te
@@ -1,7 +1,11 @@
+allow platform_app mods_service:service_manager find;
+allow platform_app mods_service:service_manager add;
+
+allow platform_app mods_app:unix_stream_socket connectto;
+
 allow platform_app sysfs_vibrator:file rw_file_perms;
 allow platform_app sysfs_usb_supply:dir search;
 allow platform_app sysfs_vibrator:dir { search r_dir_perms };
-allow platform_app default_android_service:service_manager find;
 allow platform_app greybus_raw_device:chr_file rw_file_perms;
 allow platform_app greybus_raw_device:dir rw_dir_perms;
 allow platform_app input_device:chr_file getattr;
@@ -14,3 +18,4 @@ allow platform_app sysfs_mods_camd:file rw_file_perms;
 allow platform_app sysfs_mods_camd:dir r_dir_perms;
 allow platform_app gbfirmware_file:dir create_dir_perms;
 allow platform_app gbfirmware_file:file create_file_perms;
+
diff --git a/sepolicy-mods/vendor/system_app.te b/sepolicy-mods/vendor/system_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..6a710866424e02535b0b1432c72e4c4227fa8862
--- /dev/null
+++ b/sepolicy-mods/vendor/system_app.te
@@ -0,0 +1,5 @@
+add_hwservice(system_app, hal_modmanager_hwservice)
+allow system_app mods_service:service_manager find;
+allow system_app mods_service:service_manager add;
+
+allow system_app mods_app:unix_stream_socket connectto;