diff --git a/app.te b/app.te
index 2ea00f1d06f6d50a7a638ea22e7f73f4917ea90c..c55f4e07fdc54b247301741c237e3af3b3e09a8c 100644
--- a/app.te
+++ b/app.te
@@ -40,8 +40,8 @@ allow media_app mtp_device:chr_file rw_file_perms;
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
 # Access sdcard.
-allow media_app sdcard:dir rw_dir_perms;
-allow media_app sdcard:file rw_file_perms;
+allow media_app sdcard:dir create_dir_perms;
+allow media_app sdcard:file create_file_perms;
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -119,8 +119,12 @@ allow appdomain zygote_tmpfs:file read;
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
-# Communicate over a FIFO to system processes.
+# Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
+allow appdomain system:unix_stream_socket { read write };
+
+# Communicate over a socket created by surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
diff --git a/sdcardd.te b/sdcardd.te
index 21b867322aa3253c5ebb5d7693c931cb8577f4f8..84471d795042521ed6db53b88d6b5bc068827f9c 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -7,7 +7,7 @@ allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;
 allow sdcardd sdcard:filesystem mount;
-allow sdcardd self:capability { setuid setgid };
+allow sdcardd self:capability { setuid setgid dac_override };
 allow sdcardd system_data_file:dir  create_dir_perms;
 allow sdcardd system_data_file:file create_file_perms;
 
diff --git a/surfaceflinger.te b/surfaceflinger.te
index bbefa142cd3b4fdd9134dd80f578dad9ccd3ec53..10a57ee9311fcce6920539683ce2fb4a670ec38f 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -23,5 +23,7 @@ allow surfaceflinger video_device:chr_file rw_file_perms;
 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket *;
 
-# ctl interface
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
 allow surfaceflinger ctl_default_prop:property_service set;
+
diff --git a/system.te b/system.te
index 1a94c75275d2ff5a7535d8c03c8b5061918cbdd6..04ff84c0e5f48243df10cc4351acc7e2c4d14781 100644
--- a/system.te
+++ b/system.te
@@ -107,6 +107,9 @@ unix_socket_connect(system, gps, gpsd)
 unix_socket_connect(system, bluetooth, bluetoothd)
 unix_socket_send(system, wpa, wpa)
 
+# Communicate over a socket created by surfaceflinger.
+allow system surfaceflinger:unix_stream_socket { read write setopt };
+
 # Perform Binder IPC.
 tmpfs_domain(system)
 binder_use(system)
diff --git a/vold.te b/vold.te
index 403771fecb3e56b0f454b28e3434cd1f62d58483..86dbbb7a796f07da9687bd1e494a9e8b54af3c34 100644
--- a/vold.te
+++ b/vold.te
@@ -53,7 +53,7 @@ allow vold kernel:system module_request;
 allow vold proc:file write;
 
 # Create and mount on /data/tmp_mnt.
-allow vold system_data_file:dir { write create add_name mounton };
+allow vold system_data_file:dir { open read write create add_name mounton };
 
 # Property Service
 allow vold vold_prop:property_service set;