diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/system_ext/private/certs/com_qorvo_uwb.x509.pem
similarity index 100%
rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem
rename to system_ext/private/certs/com_qorvo_uwb.x509.pem
diff --git a/system_ext/private/file.te b/system_ext/private/file.te
new file mode 100644
index 00000000..9344be7e
--- /dev/null
+++ b/system_ext/private/file.te
@@ -0,0 +1,2 @@
+
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
diff --git a/system_ext/private/keys.conf b/system_ext/private/keys.conf
new file mode 100644
index 00000000..c2228db6
--- /dev/null
+++ b/system_ext/private/keys.conf
@@ -0,0 +1,3 @@
+[@UWB]
+ALL : device/google/gs201-sepolicy/system_ext/private/certs/com_qorvo_uwb.x509.pem
+
diff --git a/system_ext/private/mac_permissions.xml b/system_ext/private/mac_permissions.xml
new file mode 100644
index 00000000..51af79f6
--- /dev/null
+++ b/system_ext/private/mac_permissions.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@UWB" >
+        <seinfo value="uwb" />
+    </signer>
+</policy>
diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts
index 25318ffe..82f4347c 100644
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@@ -3,3 +3,8 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
 
 # HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# Qorvo UWB system app
+# TODO(b/222204912): Should this run under uwb user?
+user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
+
diff --git a/system_ext/private/uwb_vendor_app.te b/system_ext/private/uwb_vendor_app.te
new file mode 100644
index 00000000..3ae5ecd3
--- /dev/null
+++ b/system_ext/private/uwb_vendor_app.te
@@ -0,0 +1,12 @@
+app_domain(uwb_vendor_app)
+
+not_recovery(`
+
+allow uwb_vendor_app app_api_service:service_manager find;
+allow uwb_vendor_app nfc_service:service_manager find;
+allow uwb_vendor_app radio_service:service_manager find;
+
+allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
+allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
+
+')
diff --git a/system_ext/public/uwb_vendor_app.te b/system_ext/public/uwb_vendor_app.te
new file mode 100644
index 00000000..6824e4e9
--- /dev/null
+++ b/system_ext/public/uwb_vendor_app.te
@@ -0,0 +1,2 @@
+type uwb_vendor_app, domain;
+
diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index 1c10354e..c7f63c67 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -13,7 +13,6 @@ type vendor_misc_data_file, file_type, data_file_type;
 type sensor_debug_data_file, file_type, data_file_type;
 type sensor_reg_data_file, file_type, data_file_type;
 type per_boot_file, file_type, data_file_type, core_data_file_type;
-type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
 type uwb_data_vendor, file_type, data_file_type;
 type powerstats_vendor_data_file, file_type, data_file_type;
 type mitigation_vendor_data_file, file_type, data_file_type;
diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf
index 54130ea2..2a7a6d56 100644
--- a/whitechapel_pro/keys.conf
+++ b/whitechapel_pro/keys.conf
@@ -4,9 +4,6 @@ ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem
 [@MDS]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem
 
-[@UWB]
-ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
-
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem
 
diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml
index b57e61c7..e9031e5f 100644
--- a/whitechapel_pro/mac_permissions.xml
+++ b/whitechapel_pro/mac_permissions.xml
@@ -27,9 +27,6 @@
     <signer signature="@MDS" >
         <seinfo value="mds" />
     </signer>
-    <signer signature="@UWB" >
-        <seinfo value="uwb" />
-    </signer>
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts
index c58bf9b3..eac38157 100644
--- a/whitechapel_pro/seapp_contexts
+++ b/whitechapel_pro/seapp_contexts
@@ -42,10 +42,6 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=
 # Touch app
 user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_touch_app type=app_data_file levelFrom=user
 
-# Qorvo UWB system app
-# TODO(b/222204912): Should this run under uwb user?
-user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all
-
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te
index 364bee36..787858d7 100644
--- a/whitechapel_pro/uwb_vendor_app.te
+++ b/whitechapel_pro/uwb_vendor_app.te
@@ -1,18 +1,8 @@
-type uwb_vendor_app, domain;
-
-app_domain(uwb_vendor_app)
 
 not_recovery(`
-hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
-
-allow uwb_vendor_app app_api_service:service_manager find;
 allow uwb_vendor_app hal_uwb_vendor_service:service_manager find;
-allow uwb_vendor_app nfc_service:service_manager find;
-allow uwb_vendor_app radio_service:service_manager find;
-
-allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms;
-allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms;
 
+hal_client_domain(uwb_vendor_app, hal_uwb_vendor)
 allow hal_uwb_vendor_default self:global_capability_class_set sys_nice;
 allow hal_uwb_vendor_default kernel:process setsched;