diff --git a/builtin_rules.c b/builtin_rules.c
index f7602702c..df9605ba9 100644
--- a/builtin_rules.c
+++ b/builtin_rules.c
@@ -284,7 +284,7 @@ void otherToSU() {
 	add_type("surfaceflinger", "mlstrustedsubject", policy);
 }
 
-void builtin_rules(policydb_t *policydb) {
+void phh_rules(policydb_t *policydb) {
 	policy = policydb;
 
 	// Samsung specific
@@ -306,6 +306,7 @@ void builtin_rules(policydb_t *policydb) {
 	// Transition from untrusted_app to su_client
 	allowSuClient("shell");
 	allowSuClient("untrusted_app");
+	allowSuClient("system_app");
 	allowSuClient("platform_app");
 	allowSuClient("su");
 
@@ -327,4 +328,64 @@ void builtin_rules(policydb_t *policydb) {
 	add_type("su_device", "mlstrustedobject", policy);
 	add_type("su_daemon", "mlstrustedsubject", policy);
 	add_type("su", "mlstrustedsubject", policy);
+}
+
+void magisk_rules(policydb_t *policydb) {
+	policy = policydb;
+
+	setPermissive("su", 1);
+	setPermissive("init", 1);
+
+	add_type("su", "mlstrustedsubject", policy);
+
+	// Minimal to run Magisk script before live patching
+	allow("kernel", "su", "fd", "use");
+	allow("init", "su", "process", ALL);
+	allow("init", "system_file", "dir", ALL);
+	allow("init", "system_file", "lnk_file", ALL);
+	allow("init", "system_file", "file", ALL);
+	allow("su", "property_socket", "sock_file", "write");
+	allow("su", "shell_exec", "file", ALL);
+	allow("su", "init", "unix_stream_socket", "connectto");
+	allow("su", "su", "unix_dgram_socket", ALL);
+	allow("su", "su", "unix_stream_socket", ALL);
+	allow("su", "su", "process", ALL);
+	allow("su", "su", "capability", ALL);
+	allow("su", "su", "file", ALL);
+	allow("su", "su", "fifo_file", ALL);
+	allow("su", "su", "lnk_file", ALL);
+	allow("su", "su", "dir", ALL);
+	allow("su", "device", "file", ALL);
+	allow("su", "device", "dir", ALL);
+	allow("su", "storage_file", "file", ALL);
+	allow("su", "storage_file", "dir", ALL);
+	allow("su", "sysfs", "file", ALL);
+	allow("su", "sysfs", "dir", ALL);
+	allow("su", "block_device", "file", ALL);
+	allow("su", "block_device", "dir", ALL);
+	allow("su", "rootfs", "file", ALL);
+	allow("su", "rootfs", "dir", ALL);
+	allow("su", "toolbox_exec", "file", ALL);
+	allow("su", "toolbox_exec", "dir", ALL);
+	allow("su", "cache_file", "file", ALL);
+	allow("su", "cache_file", "dir", ALL);
+	allow("su", "system_file", "file", ALL);
+	allow("su", "system_file", "dir", ALL);
+	allow("su", "system_data_file", "file", ALL);
+	allow("su", "system_data_file", "dir", ALL);
+	allow("su", "kernel", "security", "read_policy");
+	allow("su", "kernel", "security", "load_policy");
+	allow("su", "selinuxfs", "file", ALL);
+
+	// Xposed
+	allow("untrusted_app", "untrusted_app", "capability", "setgid");
+	allow("system_server", "dex2oat_exec", "file", ALL);
+
+	// SuperSU
+	allow("init", "system_file", "file", "execute_no_trans");
+	allow("init", "su", "fd", "use");
+	allow("init", "kernel", "security", "read_policy");
+	allow("init", "kernel", "security", "load_policy");
+
+
 }
\ No newline at end of file
diff --git a/sepolicy-inject.c b/sepolicy-inject.c
index 2fa4b886b..c69d01c99 100644
--- a/sepolicy-inject.c
+++ b/sepolicy-inject.c
@@ -23,7 +23,8 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/constraint.h>
 
-extern void builtin_rules(policydb_t *policydb);
+extern void phh_rules(policydb_t *policydb);
+extern void magisk_rules(policydb_t *policydb);
 
 void usage(char *arg0) {
 	fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
@@ -545,7 +546,7 @@ int main(int argc, char **argv)
 {
 	char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
 	char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
-	int exists = 0, not = 0, live = 0, builtin = 0;
+	int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
 	policydb_t policydb;
 	struct policy_file pf, outpf;
 	sidtab_t sidtab;
@@ -569,6 +570,7 @@ int main(int argc, char **argv)
 		{"not-permissive", required_argument, NULL, 'z'},
 		{"not", no_argument, NULL, 0},
 		{"live", no_argument, NULL, 0},
+		{"magisk", no_argument, NULL, 0},
 		{NULL, 0, NULL, 0}
 	};
 
@@ -580,6 +582,8 @@ int main(int argc, char **argv)
 					not = 1;
 				else if(strcmp(long_options[option_index].name, "live") == 0)
 					live = 1;
+				else if(strcmp(long_options[option_index].name, "magisk") == 0)
+					magisk = 1;
 				else
 					usage(argv[0]);
 				break;
@@ -630,7 +634,7 @@ int main(int argc, char **argv)
 	}
 
 	// Use builtin rules if nothing specified
-	if (!source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
+	if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
 		builtin = 1;
 
 	// Overwrite original if not specified
@@ -653,7 +657,10 @@ int main(int argc, char **argv)
 		return 1;
 
 	if (builtin) {
-		builtin_rules(&policydb);
+		phh_rules(&policydb);
+	}
+	else if (magisk) {
+		magisk_rules(&policydb);
 	}
 	else if (permissive) {
 		type_datum_t *type;