diff --git a/dauntless/citadel_provision.te b/dauntless/citadel_provision.te
new file mode 100644
index 00000000..56050857
--- /dev/null
+++ b/dauntless/citadel_provision.te
@@ -0,0 +1,6 @@
+type citadel_provision, domain;
+type citadel_provision_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+  init_daemon_domain(citadel_provision)
+')
diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te
new file mode 100644
index 00000000..bd8e4e38
--- /dev/null
+++ b/dauntless/citadeld.te
@@ -0,0 +1,4 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(citadeld)
diff --git a/dauntless/device.te b/dauntless/device.te
new file mode 100644
index 00000000..f63186f4
--- /dev/null
+++ b/dauntless/device.te
@@ -0,0 +1 @@
+type citadel_device, dev_type;
diff --git a/dauntless/file.te b/dauntless/file.te
new file mode 100644
index 00000000..cfc0dea1
--- /dev/null
+++ b/dauntless/file.te
@@ -0,0 +1 @@
+type citadel_updater, vendor_file_type, file_type;
diff --git a/dauntless/file_contexts b/dauntless/file_contexts
new file mode 100644
index 00000000..76a25023
--- /dev/null
+++ b/dauntless/file_contexts
@@ -0,0 +1,9 @@
+/vendor/bin/CitadelProvision                                                u:object_r:citadel_provision_exec:s0
+/vendor/bin/hw/init_citadel                                                 u:object_r:init_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel        u:object_r:hal_keymint_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel              u:object_r:hal_weaver_citadel_exec:s0
+/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel            u:object_r:hal_identity_citadel_exec:s0
+/vendor/bin/hw/citadel_updater                                              u:object_r:citadel_updater:s0
+/vendor/bin/hw/citadeld                                                     u:object_r:citadeld_exec:s0
+
+/dev/gsc0                                                                   u:object_r:citadel_device:s0
diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te
new file mode 100644
index 00000000..7b2c37c3
--- /dev/null
+++ b/dauntless/hal_identity_citadel.te
@@ -0,0 +1,4 @@
+type hal_identity_citadel, domain;
+type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_identity_citadel)
diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te
new file mode 100644
index 00000000..04680edf
--- /dev/null
+++ b/dauntless/hal_keymint_citadel.te
@@ -0,0 +1,4 @@
+type hal_keymint_citadel, domain;
+type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_keymint_citadel)
diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te
new file mode 100644
index 00000000..5cd1c6a4
--- /dev/null
+++ b/dauntless/hal_weaver_citadel.te
@@ -0,0 +1,4 @@
+type hal_weaver_citadel, domain;
+type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_weaver_citadel)
diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te
new file mode 100644
index 00000000..2c8246ba
--- /dev/null
+++ b/dauntless/init_citadel.te
@@ -0,0 +1,4 @@
+type init_citadel, domain;
+type init_citadel_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_citadel)
diff --git a/dauntless/vndservice.te b/dauntless/vndservice.te
new file mode 100644
index 00000000..880c09ca
--- /dev/null
+++ b/dauntless/vndservice.te
@@ -0,0 +1 @@
+type citadeld_service, vndservice_manager_type;
diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk
index 48944087..3814171f 100644
--- a/gs201-sepolicy.mk
+++ b/gs201-sepolicy.mk
@@ -14,8 +14,8 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/priv
 #
 # Pixel-wide
 #
-#   Dauntless (uses Citadel policy currently)
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
+# Dauntless sepolicy (b/199685763)
+BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless
 
 #   Wifi
 BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext
diff --git a/legacy/file_contexts b/legacy/file_contexts
index 04656075..5d97f4d9 100644
--- a/legacy/file_contexts
+++ b/legacy/file_contexts
@@ -183,9 +183,6 @@
 # R4
 /vendor/bin/hw/hardware\.qorvo\.uwb-service                          u:object_r:hal_uwb_vendor_default_exec:s0
 
-# Citadel StrongBox
-/dev/gsc0                                                                   u:object_r:citadel_device:s0
-
 # Tetheroffload Service
 /dev/dit2                      u:object_r:vendor_toe_device:s0
 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service     u:object_r:hal_tetheroffload_default_exec:s0
diff --git a/legacy/hal_dumpstate_default.te b/legacy/hal_dumpstate_default.te
index d4cb32c8..06b14db5 100644
--- a/legacy/hal_dumpstate_default.te
+++ b/legacy/hal_dumpstate_default.te
@@ -84,7 +84,7 @@ allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
 allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
 
 allow hal_dumpstate_default citadeld_service:service_manager find;
-allow hal_dumpstate_default citadel_updater_exec:file execute_no_trans;
+allow hal_dumpstate_default citadel_updater:file execute_no_trans;
 binder_call(hal_dumpstate_default, citadeld);
 
 allow hal_dumpstate_default vendor_displaycolor_service:service_manager find;
diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te
new file mode 100644
index 00000000..75c2bc5b
--- /dev/null
+++ b/whitechapel_pro/vndservice.te
@@ -0,0 +1 @@
+type hal_power_stats_vendor_service,      vndservice_manager_type;