diff --git a/Android.mk b/Android.mk
index b941bf3..3f691e9 100644
--- a/Android.mk
+++ b/Android.mk
@@ -15,14 +15,14 @@
     mapping_sepolicy.cil \
     nonplat_sepolicy.cil \
     plat_sepolicy.cil \
-    plat_sepolicy.cil.sha256 \
+    plat_and_mapping_sepolicy.cil.sha256 \
     secilc \
     nonplat_file_contexts \
     plat_file_contexts
 
 # Include precompiled policy, unless told otherwise
 ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
 endif
 
 else
@@ -310,24 +310,10 @@
 #################################
 include $(CLEAR_VARS)
 
-LOCAL_MODULE := plat_sepolicy.cil.sha256
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_plat_cil)
-	sha256sum $^ | cut -d' ' -f1 > $@
-
-#################################
-include $(CLEAR_VARS)
-
 LOCAL_MODULE := mapping_sepolicy.cil
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
-LOCAL_PROPRIETARY_MODULE := true
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
@@ -357,6 +343,19 @@
 #################################
 include $(CLEAR_VARS)
 
+LOCAL_MODULE := plat_and_mapping_sepolicy.cil.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_mapping_cil)
+	cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
 LOCAL_MODULE := nonplat_sepolicy.cil
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
@@ -444,10 +443,11 @@
 built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
 
 #################################
-# SHA-256 digest of the plat_sepolicy.cil file against which precompiled_policy was built.
+# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
+# which precompiled_policy was built.
 #################################
 include $(CLEAR_VARS)
-LOCAL_MODULE := precompiled_sepolicy.plat.sha256
+LOCAL_MODULE := precompiled_sepolicy.plat_and_mapping.sha256
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
 LOCAL_PROPRIETARY_MODULE := true
@@ -455,9 +455,9 @@
 
 include $(BUILD_SYSTEM)/base_rules.mk
 
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILE := $(built_plat_cil)
-$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil)
-	sha256sum $(PRIVATE_CIL_FILE) | cut -d' ' -f1 > $@
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_mapping_cil)
+	cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
 
 #################################
 include $(CLEAR_VARS)
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 4962149..9e2c464 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -65,4 +65,8 @@
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/property_contexts)
 
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_property_contexts)
+
 $(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
diff --git a/private/access_vectors b/private/access_vectors
index c4f13bb..dcd86c2 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -668,6 +668,20 @@
 	list
 }
 
+class hwservice_manager
+{
+	add
+	find
+	list
+}
+
+class vndservice_manager
+{
+	add
+	find
+	list
+}
+
 class keystore_key
 {
 	get_state
diff --git a/private/file_contexts b/private/file_contexts
index 9feeef9..83792ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -172,6 +172,7 @@
 /system/bin/toolbox	--	u:object_r:toolbox_exec:s0
 /system/bin/toybox	--	u:object_r:toolbox_exec:s0
 /system/bin/logcat	--	u:object_r:logcat_exec:s0
+/system/bin/logcatd	--	u:object_r:logcat_exec:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0
 /system/bin/bootanimation u:object_r:bootanim_exec:s0
@@ -247,13 +248,14 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 
 #############################
@@ -273,7 +275,6 @@
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
-/vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
@@ -281,7 +282,7 @@
 /vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
 /vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256 u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/vndservice_contexts         u:object_r:vndservice_contexts_file:s0
 
 #############################
diff --git a/private/security_classes b/private/security_classes
index a202c5d..5685bd6 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -134,6 +134,12 @@
 # Service manager
 class service_manager           # userspace
 
+# hardware service manager      # userspace
+class hwservice_manager
+
+# vendor service manager        # userspace
+class vndservice_manager
+
 # Keystore Key
 class keystore_key              # userspace
 
diff --git a/public/attributes b/public/attributes
index 852dcd7..30dfa4b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -95,11 +95,18 @@
 # services which export only system_api
 attribute system_api_service;
 
-# All types used for services managed by service_manager.
+# All types used for services managed by servicemanager.
 # On change, update CHECK_SC_ASSERT_ATTRS
 # definition in tools/checkfc.c.
 attribute service_manager_type;
 
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
 # All domains that can override MLS restrictions.
 # i.e. processes that can read up and write down.
 attribute mlstrustedsubject;
@@ -242,3 +249,12 @@
 attribute hal_wifi_supplicant;
 attribute hal_wifi_supplicant_client;
 attribute hal_wifi_supplicant_server;
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server  to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute wifi_keystore_service_server;
diff --git a/public/hal_wifi_keystore.te b/public/hal_wifi_keystore.te
deleted file mode 100644
index 15368ae..0000000
--- a/public/hal_wifi_keystore.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# HwBinder IPC from client to server.
-binder_call(hal_wifi_keystore_client, hal_wifi_keystore_server)
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 77074f4..20a7229 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -2,9 +2,6 @@
 type hwservicemanager, domain, mlstrustedsubject;
 type hwservicemanager_exec, exec_type, file_type;
 
-# serving android.hidl.manager@1.0 and android.hidl.token@1.0
-typeattribute hwservicemanager halserverdomain;
-
 # Note that we do not use the binder_* macros here.
 # hwservicemanager provides name service (aka context manager)
 # for hwbinder.
diff --git a/public/keystore.te b/public/keystore.te
index 456c74d..378949a 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -10,8 +10,9 @@
 # talk to keymaster
 hal_client_domain(keystore, hal_keymaster)
 
-# Implement the wifi keystore hal.
-hal_server_domain(keystore, hal_wifi_keystore)
+# Offer the Wifi Keystore HwBinder service
+hwbinder_use(keystore)
+typeattribute keystore wifi_keystore_service_server;
 
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
diff --git a/public/wificond.te b/public/wificond.te
index 0584b85..c91053e 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -27,6 +27,9 @@
 allow wificond wifi_data_file:dir rw_dir_perms;
 allow wificond wifi_data_file:file create_file_perms;
 
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
 # dumpstate support
 allow wificond dumpstate:fd use;
 allow wificond dumpstate:fifo_file write;
diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README
index d18609a..fdee588 100644
--- a/tools/sepolicy-analyze/README
+++ b/tools/sepolicy-analyze/README
@@ -65,6 +65,10 @@
 
     Displays the types associated with the specified attribute name.
 
+    sepolicy-analyze out/target/product/<board>/root/sepolicy attribute -r <name>
+
+    Displays the attributes associated with the specified type name.
+
     NEVERALLOW CHECKING (neverallow)
     sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \
     [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"]
diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c
index 474bda2..ae98aa9 100644
--- a/tools/sepolicy-analyze/attribute.c
+++ b/tools/sepolicy-analyze/attribute.c
@@ -1,39 +1,81 @@
+#include <getopt.h>
+
 #include "attribute.h"
 
 void attribute_usage() {
-    fprintf(stderr, "\tattribute <attribute-name>\n");
+    fprintf(stderr, "\tattribute <name> [-r|--reverse]\n");
 }
 
-static int list_attribute(policydb_t * policydb, char *name)
-{
-    struct type_datum *attr;
+static void retrieve_mapping(policydb_t *policydb, struct type_datum *dat, char *name, int reverse) {
     struct ebitmap_node *n;
     unsigned int bit;
 
-    attr = hashtab_search(policydb->p_types.table, name);
-    if (!attr) {
+    if (reverse) {
+        ebitmap_for_each_bit(&policydb->type_attr_map[dat->s.value - 1], n, bit) {
+            if (!ebitmap_node_get_bit(n, bit))
+                continue;
+            if (!strcmp(policydb->p_type_val_to_name[bit], name))
+                continue;
+            printf("%s\n", policydb->p_type_val_to_name[bit]);
+        }
+    } else {
+        ebitmap_for_each_bit(&policydb->attr_type_map[dat->s.value - 1], n, bit) {
+            if (!ebitmap_node_get_bit(n, bit))
+                continue;
+            printf("%s\n", policydb->p_type_val_to_name[bit]);
+        }
+    }
+}
+
+static int list_attribute(policydb_t *policydb, char *name, int reverse)
+{
+    struct type_datum *dat;
+
+    dat = hashtab_search(policydb->p_types.table, name);
+    if (!dat) {
         fprintf(stderr, "%s is not defined in this policy.\n", name);
         return -1;
     }
 
-    if (attr->flavor != TYPE_ATTRIB) {
-        fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
-        return -1;
+    if (reverse) {
+        if (dat->flavor != TYPE_TYPE) {
+            fprintf(stderr, "%s is an attribute not a type in this policy.\n", name);
+            return -1;
+        }
+    } else {
+        if (dat->flavor != TYPE_ATTRIB) {
+            fprintf(stderr, "%s is a type not an attribute in this policy.\n", name);
+            return -1;
+        }
     }
-
-    ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) {
-        if (!ebitmap_node_get_bit(n, bit))
-            continue;
-        printf("%s\n", policydb->p_type_val_to_name[bit]);
-    }
+    retrieve_mapping(policydb, dat, name, reverse);
 
     return 0;
 }
 
 int attribute_func (int argc, char **argv, policydb_t *policydb) {
-    if (argc != 2) {
+    int reverse = 0;
+    char ch;
+
+    struct option attribute_options[] = {
+        {"reverse", no_argument, NULL, 'r'},
+        {NULL, 0, NULL, 0}
+    };
+
+    while ((ch = getopt_long(argc, argv, "r", attribute_options, NULL)) != -1) {
+        switch (ch) {
+        case 'r':
+            reverse = 1;
+            break;
+        default:
+            USAGE_ERROR = true;
+            return -1;
+        }
+    }
+
+    if (argc != 2 && !(reverse && argc == 3)) {
         USAGE_ERROR = true;
         return -1;
     }
-    return list_attribute(policydb, argv[1]);
+    return list_attribute(policydb, argv[optind], reverse);
 }
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index f0a6ffc..82bccdb 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,8 +8,10 @@
 # Create a socket for receiving info from wpa
 type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
 
-# Allow wpa_supplicant to talk to Wifi Keystore HAL.
-hal_client_domain(hal_wifi_supplicant_default, hal_wifi_keystore)
+# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
+hwbinder_use(hal_wifi_supplicant_default)
+binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
+
 # TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
 # Remove coredata_in_vendor_violators attribute.
 # wpa supplicant or equivalent