diff --git a/private/service_contexts b/private/service_contexts
index ff9305b7b..2055cdcb1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -43,6 +43,7 @@ DockObserver                              u:object_r:DockObserver_service:s0
 dreams                                    u:object_r:dreams_service:s0
 drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
+dumpstate                                 u:object_r:dumpstate_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
 fingerprint                               u:object_r:fingerprint_service:s0
 android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 57e870367..24e345eb3 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -174,7 +174,7 @@ userdebug_or_eng(`
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;
@@ -197,3 +197,16 @@ allow dumpstate atrace_exec:file rx_file_perms;
 allow dumpstate media_rw_data_file:dir getattr;
 allow dumpstate proc_interrupts:file r_file_perms;
 allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+allow dumpstate dumpstate_service:service_manager add;
+
+###
+### neverallow rules
+###
+
+# only dumpstate can add the dumpstate service
+neverallow { domain -dumpstate } dumpstate_service:service_manager add;
+
+# only system_server and shell can find the dumpstate service
+neverallow { domain -system_server -shell } dumpstate_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index a181ec14b..30f6590bc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -3,6 +3,7 @@ type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
+type dumpstate_service,         service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type fingerprintd_service,      service_manager_type;
 type batteryproperties_service, app_api_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index a31b153d1..0e747b73f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -91,7 +91,10 @@ allow shell kernel:system syslog_read;
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell { service_manager_type -gatekeeper_service -netd_service}:service_manager find;
+allow shell dumpstate:binder call;
 
 # allow shell to look through /proc/ for ps, top, netstat
 r_dir_file(shell, proc)
diff --git a/public/system_app.te b/public/system_app.te
index b05bcb9f2..7896ac556 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -49,7 +49,8 @@ allow system_app anr_data_file:file create_file_perms;
 allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
-allow system_app { service_manager_type -netd_service }:service_manager find;
+# TODO: scope this down? Too broad?
+allow system_app { service_manager_type -netd_service -dumpstate_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state
diff --git a/public/system_server.te b/public/system_server.te
index f700a77be..b59aa0596 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -443,6 +443,7 @@ allow system_server sysfs_zram:file r_file_perms;
 allow system_server audioserver_service:service_manager find;
 allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
 allow system_server batteryproperties_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;