diff --git a/app.te b/app.te
index cb8091b64..76b765d37 100644
--- a/app.te
+++ b/app.te
@@ -110,6 +110,8 @@ allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
 allow untrusted_app port_type:udp_socket name_bind;
 allow untrusted_app port_type:tcp_socket name_bind;
 unix_socket_connect(untrusted_app, dnsproxyd, netd)
+allow untrusted_app tun_device:chr_file rw_file_perms;
+allow untrusted_app untrusted_app:netlink_route_socket write;
 # Get route information.
 allow untrusted_app self:netlink_route_socket { create bind read nlmsg_read };
 }
diff --git a/device.te b/device.te
index ecb7c10c3..4f3032ac9 100644
--- a/device.te
+++ b/device.te
@@ -42,6 +42,8 @@ type ion_device, dev_type;
 type gps_device, dev_type;
 type qtaguid_device, dev_type;
 type watchdog_device, dev_type;
+type uhid_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
 
 # All devices have a uart for the hci
 # attach service. The uart dev node
diff --git a/file.te b/file.te
index 65788df5b..cc196a3e4 100644
--- a/file.te
+++ b/file.te
@@ -87,6 +87,7 @@ type keystore_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
 type qemud_socket, file_type;
+type racoon_socket, file_type;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
 type system_wpa_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 0d2db388b..00a79b206 100644
--- a/file_contexts
+++ b/file_contexts
@@ -89,6 +89,7 @@
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/qemud	u:object_r:qemud_socket:s0
+/dev/socket/racoon	u:object_r:racoon_socket:s0
 /dev/socket/rild	u:object_r:rild_socket:s0
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
 /dev/socket/vold	u:object_r:vold_socket:s0
@@ -100,6 +101,8 @@
 /dev/tf_driver		u:object_r:tee_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
+/dev/tun		u:object_r:tun_device:s0
+/dev/uhid		u:object_r:uhid_device:s0
 /dev/uinput		u:object_r:input_device:s0
 /dev/urandom		u:object_r:urandom_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
@@ -135,6 +138,7 @@
 /system/bin/mtpd	u:object_r:mtp_exec:s0
 /system/bin/pppd	u:object_r:ppp_exec:s0
 /system/bin/tf_daemon	u:object_r:tee_exec:s0
+/system/bin/racoon	u:object_r:racoon_exec:s0
 /system/etc/ppp(/.*)?	u:object_r:ppp_system_file:s0
 /system/etc/dhcpcd(/.*)? u:object_r:dhcp_system_file:s0
 /system/xbin/su		u:object_r:su_exec:s0
diff --git a/global_macros b/global_macros
index cb3ed95af..2f9b4fa6b 100644
--- a/global_macros
+++ b/global_macros
@@ -38,3 +38,8 @@ define(`r_ipc_perms', `{ getattr read associate unix_read }')
 define(`w_ipc_perms', `{ write unix_write }')
 define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
 define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
diff --git a/racoon.te b/racoon.te
new file mode 100644
index 000000000..9f556e0b8
--- /dev/null
+++ b/racoon.te
@@ -0,0 +1,25 @@
+# IKE key management daemon
+type racoon, domain;
+type racoon_exec, exec_type, file_type;
+
+init_daemon_domain(racoon)
+typeattribute racoon mlstrustedsubject;
+
+binder_call(racoon, servicemanager)
+binder_call(racoon, keystore)
+
+allow racoon tun_device:chr_file r_file_perms;
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+allow racoon port:udp_socket name_bind;
+allow racoon node:udp_socket node_bind;
+
+allow racoon self:{ key_socket udp_socket } create_socket_perms;
+allow racoon self:tun_socket create;
+allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon ppp_system_file:file rx_file_perms;
+allow racoon ppp_system_file:dir search;
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/system.te b/system.te
index 62240feb9..c907a796c 100644
--- a/system.te
+++ b/system.te
@@ -93,6 +93,9 @@ allow system self:packet_socket *;
 # Notify init of death.
 allow system init:process sigchld;
 
+# 3rd party VPN clients require a tun_socket to be created
+allow system self:tun_socket create;
+
 # Talk to init and various daemons via sockets.
 unix_socket_connect(system, property, init)
 unix_socket_connect(system, qemud, qemud)
@@ -104,6 +107,7 @@ unix_socket_connect(system, keystore, keystore)
 unix_socket_connect(system, dbus, dbusd)
 unix_socket_connect(system, gps, gpsd)
 unix_socket_connect(system, bluetooth, bluetoothd)
+unix_socket_connect(system, racoon, racoon)
 unix_socket_send(system, wpa, wpa)
 
 # Communicate over a socket created by surfaceflinger.
@@ -147,6 +151,9 @@ allow system urandom_device:chr_file rw_file_perms;
 allow system video_device:chr_file rw_file_perms;
 allow system qemu_device:chr_file rw_file_perms;
 
+# tun device used for 3rd party vpn apps
+allow system tun_device:chr_file rw_file_perms;
+
 # Manage data files.
 allow system data_file_type:dir create_dir_perms;
 allow system data_file_type:notdevfile_class_set create_file_perms;
@@ -195,8 +202,9 @@ allow system domain:file r_file_perms;
 allow system gps_device:chr_file rw_file_perms;
 allow system gps_control:file rw_file_perms;
 
-# system Read/Write udp_socket of untrusted_app
-allow system appdomain:udp_socket { read write };
+# system Read/Write tcp/udp_socket of untrusted_app
+allow system appdomain:{ tcp_socket udp_socket } { setopt read write };
+
 # Allow abstract socket connection
 allow system rild:unix_stream_socket connectto;