diff --git a/bluetooth.te b/bluetooth.te
index 0c42eb52e78679314dd6f816d7d5d8e5d9f0e218..6a329b70c3cbb75bd0fa32f805e1eb89a4df09a3 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -37,7 +37,6 @@ set_prop(bluetooth, ctl_dhcp_pan_prop)
 
 allow bluetooth audioserver_service:service_manager find;
 allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth cameraserver_service:service_manager find;
 allow bluetooth drmserver_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
diff --git a/cameraserver.te b/cameraserver.te
index 3a5dff370339a6df83f8e1dc3a3bd274b684d012..ca29304c8312b0a67a763a5e64839dc0d482b37b 100644
--- a/cameraserver.te
+++ b/cameraserver.te
@@ -1,116 +1,35 @@
 # cameraserver - camera daemon
-type cameraserver, domain, domain_deprecated;
+type cameraserver, domain;
 type cameraserver_exec, exec_type, file_type;
 
-typeattribute cameraserver mlstrustedsubject;
+# STOPSHIP. cameraserver into permissive mode to collect denials from
+# droidfooders
+permissive cameraserver;
 
-net_domain(cameraserver)
 init_daemon_domain(cameraserver)
 
-r_dir_file(cameraserver, sdcard_type)
-
 binder_use(cameraserver)
 binder_call(cameraserver, binderservicedomain)
 binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
-# Required by Widevine DRM (b/22990512)
-allow cameraserver self:process execmem;
-
-allow cameraserver kernel:system module_request;
-allow cameraserver media_data_file:dir create_dir_perms;
-allow cameraserver media_data_file:file create_file_perms;
+# access /data/misc/camera
 allow cameraserver camera_data_file:dir create_dir_perms;
 allow cameraserver camera_data_file:file create_file_perms;
-allow cameraserver app_data_file:dir search;
-allow cameraserver app_data_file:file rw_file_perms;
-allow cameraserver sdcard_type:file write;
-allow cameraserver gpu_device:chr_file rw_file_perms;
+
 allow cameraserver video_device:dir r_dir_perms;
 allow cameraserver video_device:chr_file rw_file_perms;
-allow cameraserver audio_device:dir r_dir_perms;
-allow cameraserver tee_device:chr_file rw_file_perms;
-
-set_prop(cameraserver, audio_prop)
-
-# Access audio devices at all.
-allow cameraserver audio_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow cameraserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow cameraserver apk_data_file:file { read getattr };
-allow cameraserver asec_apk_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow cameraserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow cameraserver appdomain:fifo_file { getattr read write };
-
-allow cameraserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow cameraserver system_server:fifo_file r_file_perms;
+allow cameraserver ion_device:chr_file rw_file_perms;
 
-# Camera data
-r_dir_file(cameraserver, camera_data_file)
-r_dir_file(cameraserver, media_rw_data_file)
-
-# Grant access to audio files to cameraserver
-allow cameraserver audio_data_file:dir ra_dir_perms;
-allow cameraserver audio_data_file:file create_file_perms;
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow cameraserver qtaguid_proc:file rw_file_perms;
-allow cameraserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow cameraserver rild:unix_stream_socket { connectto read write setopt };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(cameraserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(cameraserver, bluetooth, bluetooth)
-
-# Connect to tee service.
-allow cameraserver tee:unix_stream_socket connectto;
-
-allow cameraserver activity_service:service_manager find;
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver cameraserver_service:service_manager { add find };
 allow cameraserver batterystats_service:service_manager find;
-allow cameraserver drmserver_service:service_manager find;
-allow cameraserver mediaextractor_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver cameraserver_service:service_manager add;
 allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver permission_service:service_manager find;
-allow cameraserver power_service:service_manager find;
 allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
 allow cameraserver surfaceflinger_service:service_manager find;
 
-# /oem access
-allow cameraserver oemfs:dir search;
-allow cameraserver oemfs:file r_file_perms;
-
-use_drmservice(cameraserver)
-allow cameraserver drmserver:drmservice {
-    consumeRights
-    setPlaybackStatus
-    openDecryptSession
-    closeDecryptSession
-    initializeDecryptUnit
-    decrypt
-    finalizeDecryptUnit
-    pread
-};
-
 ###
 ### neverallow rules
 ###
diff --git a/mediaserver.te b/mediaserver.te
index 38c0af2002824ff344d85ef92eb3e2f8a392d13b..6d977a37c812cfff47acf9a357b721dfe87a0fb7 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -90,7 +90,6 @@ allow mediaserver tee:unix_stream_socket connectto;
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
 allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
 allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
diff --git a/radio.te b/radio.te
index c4df1f7d11dbb960d9ad6b626c719b9bee68736d..0da43a6d28f7005bad6e7031ec9cd27e90b610df 100644
--- a/radio.te
+++ b/radio.te
@@ -28,7 +28,6 @@ auditallow radio system_radio_prop:property_service set;
 set_prop(radio, ctl_rildaemon_prop)
 
 allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 31f7de66db08b8405ae899f83330dfdd1e23f8f7..8fb6463ff4684929d3265b52d699c6d42c6bf842 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -54,7 +54,6 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 # media.player service
 allow surfaceflinger audioserver_service:service_manager find;
-allow surfaceflinger cameraserver_service:service_manager find;
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index e8c52ff977137b02270ce2051fa3a082fd236098..1da04c171e7577f7664760bfa63932eb6715c879 100644
--- a/system_server.te
+++ b/system_server.te
@@ -153,8 +153,6 @@ r_dir_file(system_server, inputflinger)
 # Use sockets received over binder from various services.
 allow system_server audioserver:tcp_socket rw_socket_perms;
 allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server cameraserver:tcp_socket rw_socket_perms;
-allow system_server cameraserver:udp_socket rw_socket_perms;
 allow system_server mediaserver:tcp_socket rw_socket_perms;
 allow system_server mediaserver:udp_socket rw_socket_perms;