diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
new file mode 100644
index 000000000..2239d2ae8
--- /dev/null
+++ b/private/dexoptanalyzer.te
@@ -0,0 +1,26 @@
+# dexoptanalyzer
+type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer_exec, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexoptanalyzer vs other
+#processes.
+tmpfs_domain(dexoptanalyzer)
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+
+allow dexoptanalyzer installd:fd use;
+
+# Allow reading secondary dex files that were reported by the app to the
+# package manager.
+allow dexoptanalyzer app_data_file:dir { getattr search };
+allow dexoptanalyzer app_data_file:file r_file_perms;
+
+# Allow testing /data/user/0 which symlinks to /data/data
+allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/file_contexts b/private/file_contexts
index ae910dea3..22a36693d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -224,6 +224,7 @@
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
 /system/bin/dex2oat(d)?     u:object_r:dex2oat_exec:s0
+/system/bin/dexoptanalyzer     u:object_r:dexoptanalyzer_exec:s0
 # patchoat executable has (essentially) the same requirements as dex2oat.
 /system/bin/patchoat(d)?    u:object_r:dex2oat_exec:s0
 /system/bin/profman     u:object_r:profman_exec:s0
diff --git a/private/installd.te b/private/installd.te
index 9e6fc1e52..e18d8410a 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -5,6 +5,9 @@ init_daemon_domain(installd)
 # Run dex2oat in its own sandbox.
 domain_auto_trans(installd, dex2oat_exec, dex2oat)
 
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+
 # Run profman in its own sandbox.
 domain_auto_trans(installd, profman_exec, profman)
 
diff --git a/private/system_server.te b/private/system_server.te
index 0e3566033..e5e4939de 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -13,3 +13,7 @@ type_transition system_server wpa_socket:sock_file system_wpa_socket;
 
 # TODO: deal with tmpfs_domain pub/priv split properly
 neverallow system_server system_server_tmpfs:file execute;
+
+# dexoptanalyzer is currently used only for secondary dex files which
+# system_server should never access.
+neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index d0de06498..be9877cf4 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -25,6 +25,10 @@ allow dex2oat oemfs:file read;
 allow dex2oat {apk_tmp_file ephemeral_apk_tmp_file}:file read;
 allow dex2oat user_profile_data_file:file { getattr read lock };
 
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat app_data_file:file { getattr read write };
+
 ##################
 # A/B OTA Dexopt #
 ##################