diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 046394e0d5ea54e81c52ca7a9e21849241f82565..65fd9c73a474c66345d2746eb53dd5e9d2fb8837 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -3,108 +3,12 @@
 # Read files already opened under /data.
 allow domain_deprecated system_data_file:file { getattr read };
 allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -sdcardd
-  -system_server
-  -tee
-} system_data_file:file { getattr read };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -system_server
-  -tee
-} system_data_file:lnk_file r_file_perms;
-')
 
 # Read apk files under /data/app.
 allow domain_deprecated apk_data_file:dir { getattr search };
 allow domain_deprecated apk_data_file:file r_file_perms;
 allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -dex2oat
-  -installd
-  -system_server
-} apk_data_file:dir { getattr search };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -dex2oat
-  -installd
-  -system_server
-} apk_data_file:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -appdomain
-  -dex2oat
-  -installd
-  -system_server
-} apk_data_file:lnk_file r_file_perms;
-')
 
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
-
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -sdcardd
-  -system_server
-  -update_engine
-  -vold
-} proc:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -fsck
-  -fsck_untrusted
-  -system_server
-  -vold
-} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow {
-  domain_deprecated
-  -fingerprintd
-  -healthd
-  -netd
-  -recovery
-  -system_app
-  -surfaceflinger
-  -system_server
-  -tee
-  -ueventd
-  -vold
-} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -fingerprintd
-  -healthd
-  -netd
-  -recovery
-  -system_app
-  -surfaceflinger
-  -system_server
-  -tee
-  -ueventd
-  -vold
-} sysfs:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -fingerprintd
-  -healthd
-  -netd
-  -recovery
-  -system_app
-  -surfaceflinger
-  -system_server
-  -tee
-  -ueventd
-  -vold
-} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
diff --git a/private/system_server.te b/private/system_server.te
index a46272ad6be7a9fc8fa6fb82507a50b6a7e99451..40c5382d5fdced60591ae3adc126d8cfae1aeb3f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -493,6 +493,7 @@ set_prop(system_server, firstboot_prop)
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 # Manage cache files.
+allow system_server cache_file:lnk_file r_file_perms;
 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
 allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
diff --git a/public/attributes b/public/attributes
index f0bb18d42d9167f84935049cdc00199e13c62beb..4dddf496c71d2dfc3b90bbe563520a50d0390caa 100644
--- a/public/attributes
+++ b/public/attributes
@@ -249,7 +249,7 @@ expandattribute hal_cas false;
 attribute hal_cas_client;
 expandattribute hal_cas_client true;
 attribute hal_cas_server;
-expandattribute hal_cas_server true;
+expandattribute hal_cas_server false;
 attribute hal_dumpstate;
 expandattribute hal_dumpstate true;
 attribute hal_dumpstate_client;
diff --git a/public/te_macros b/public/te_macros
index e8c667d41944f71608763161108a8f799bf9a434..cac977b1ccea130a5cdac4a6d9c552b3928ccf29 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -459,6 +459,12 @@ define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
 
+#####################################
+# User builds
+# SELinux rules which apply only to user builds
+#
+define(`userbuild', ifelse(target_build_variant, `user', $1, ))
+
 #####################################
 # asan builds
 # SELinux rules which apply only to asan builds