diff --git a/dhcp.te b/dhcp.te
index 81f6db49535900f5863fa8a1f71368b579cfd103..9e461a4f66ce16493ecd59a63e03b3a8ba857219 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -15,7 +15,6 @@ allow dhcp system_file:file rx_file_perms;
 allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 unix_socket_connect(dhcp, property, init)
-allow dhcp owntty_device:chr_file rw_file_perms;
 
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;
diff --git a/domain.te b/domain.te
index 6c800ab714f32d444317f5c9bd928f503987678a..86c683f23e1bb57ebb2441070afbe61e7e8fe305 100644
--- a/domain.te
+++ b/domain.te
@@ -130,7 +130,8 @@ allow domain debugfs:dir r_dir_perms;
 allow domain debugfs:file w_file_perms;
 
 # Get SELinux enforcing status.
-selinux_getenforce(domain)
+allow domain selinuxfs:dir r_dir_perms;
+allow domain selinuxfs:file r_file_perms;
 
 # /data/security files
 allow domain security_file:dir { search getattr };
diff --git a/shell.te b/shell.te
index aa02ce5fcfb3dea516456aa08662757394a8c700..5f70cd079ceb57572faac1c5b577914bc11509da 100644
--- a/shell.te
+++ b/shell.te
@@ -25,7 +25,6 @@ allow shell shell_data_file:file rx_file_perms;
 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)
 
-allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index 5f2d691830191a5c6b8c87ebd0a8538f531c7d00..d7643a0a4bbddd3982a3977d795067d18f0825c6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -159,7 +159,6 @@ allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
 allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
-allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
diff --git a/te_macros b/te_macros
index 7cd7d82adae5b95cd6bb6d7d73d29fcf4f4bceee..c72760eeec16d0a5afe691333b2bd2db0899f341 100644
--- a/te_macros
+++ b/te_macros
@@ -187,7 +187,6 @@ allow $1 self:capability2 block_suspend;
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
 define(`selinux_check_access', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
 allow $1 self:netlink_selinux_socket *;
@@ -197,24 +196,14 @@ allow $1 self:netlink_selinux_socket *;
 # selinux_check_context(domain)
 # Allow domain to check SELinux contexts via selinuxfs.
 define(`selinux_check_context', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security check_context;
 ')
 
-#####################################
-# selinux_getenforce(domain)
-# Allow domain to check whether SELinux is enforcing.
-define(`selinux_getenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-')
-
 #####################################
 # selinux_setenforce(domain)
 # Allow domain to set SELinux to enforcing.
 define(`selinux_setenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setenforce;
 ')
@@ -223,7 +212,6 @@ allow $1 kernel:security setenforce;
 # selinux_setbool(domain)
 # Allow domain to set SELinux booleans.
 define(`selinux_setbool', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
@@ -235,11 +223,6 @@ allow $1 kernel:security setbool;
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
-allow $1 security_file:lnk_file r_file_perms;
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-allow $1 rootfs:dir r_dir_perms;
-allow $1 rootfs:file r_file_perms;
 ')
 
 #####################################
diff --git a/wpa.te b/wpa.te
index ceabf6d5f9a8a2d61fb0fd5ab554ab97cf2c369a..761d3451a2e1ec3915694a76f0d78eec2a0024de 100644
--- a/wpa.te
+++ b/wpa.te
@@ -15,7 +15,6 @@ allow wpa self:packet_socket create_socket_perms;
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
-allow wpa random_device:chr_file r_file_perms;
 
 binder_use(wpa)
 binder_call(wpa, keystore)