diff --git a/media_app.te b/media_app.te
index 1fe06ddc0e6eb7434f573ba6276eebf1d12701eb..5f09a63e9b6b20ce7885c3eb7ffc342dca5db83f 100644
--- a/media_app.te
+++ b/media_app.te
@@ -3,10 +3,27 @@
 ###
 
 type media_app, domain;
+permissive media_app;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
-unconfined_domain(media_app)
+# Access /dev/mtp_usb.
+allow media_app mtp_device:chr_file rw_file_perms;
+# Write to /cache.
+allow media_app cache_file:dir rw_dir_perms;
+allow media_app cache_file:file create_file_perms;
+# Stat /cache/lost+found
+allow media_app unlabeled:file getattr;
+allow media_app unlabeled:dir getattr;
+# Stat /cache/backup
+allow media_app cache_backup_file:file getattr;
+allow media_app cache_backup_file:dir getattr;
+# Read files in the rootdir (in particular, file_contexts for restorecon).
+allow media_app rootfs:file r_file_perms;
+allow media_app download_file:dir rw_dir_perms;
+allow media_app download_file:file create_file_perms;
+# Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
+allow media_app platform_app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;
diff --git a/nfc.te b/nfc.te
index 31b9144335108fe251611d244f66882e37c85eff..efb1a14b556d77fd11719f0bb0ee03df95adea7a 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,4 +1,14 @@
 # nfc subsystem
 type nfc, domain;
+permissive nfc;
 app_domain(nfc)
-unconfined_domain(nfc)
+
+# NFC device access.
+allow nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+allow nfc sysfs_nfc_power_writable:file rw_file_perms;
+allow nfc sysfs:file write;
diff --git a/platform_app.te b/platform_app.te
index 042d495408f1d1f91724b3b36a709c5874f1a261..1e89760e0a045c9165f96e8223d41a366884f182 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -3,10 +3,39 @@
 ###
 
 type platform_app, domain;
+permissive platform_app;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-unconfined_domain(platform_app)
+# Write to /cache.
+allow platform_app cache_file:dir rw_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+# Read from /data/local.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app shell_data_file:lnk_file read;
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+# Access download files.
+allow platform_app download_file:file rw_file_perms;
+# Allow BackupManagerService to backup all app domains
+allow platform_app appdomain:fifo_file write;
+
+#
+# Rules for all platform app domains.
+#
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+# App sdcard file accesses
+allow platformappdomain sdcard_type:dir create_dir_perms;
+allow platformappdomain sdcard_type:file create_file_perms;
diff --git a/radio.te b/radio.te
index feea2cc6dff36782c9ed511fa596b3737ed912a0..9de8aba22a03ec0ff6b3b33d3f15a315917eb71f 100644
--- a/radio.te
+++ b/radio.te
@@ -1,7 +1,24 @@
 # phone subsystem
 type radio, domain;
+permissive radio;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
 
-unconfined_domain(radio)
\ No newline at end of file
+# Talks to init via the property socket.
+unix_socket_connect(radio, property, init)
+
+# Talks to rild via the rild socket.
+unix_socket_connect(radio, rild, rild)
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+
+allow radio alarm_device:chr_file rw_file_perms;
+
+# Property service
+allow radio radio_prop:property_service set;
+
+# ctl interface
+allow radio ctl_rildaemon_prop:property_service set;
diff --git a/release_app.te b/release_app.te
index e7e4b3537643ab1eb82eb44728ecc2fc2179b3ae..6be3620acb1015f97ef7c9a9d42355d9a483a71a 100644
--- a/release_app.te
+++ b/release_app.te
@@ -3,10 +3,14 @@
 ###
 
 type release_app, domain;
+permissive release_app;
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
 net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
-unconfined_domain(release_app)
+
+# Write to /cache.
+allow release_app cache_file:dir rw_dir_perms;
+allow release_app cache_file:file create_file_perms;
diff --git a/shared_app.te b/shared_app.te
index 8475e0c9aebc845204224024d10379017d9fdf79..e469bddb3b64701afe2599eecce4a76af0c69da6 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -3,10 +3,12 @@
 ###
 
 type shared_app, domain;
+permissive shared_app;
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
-unconfined_domain(shared_app)
+# ASEC
+r_dir_file(shared_app, asec_apk_file)
diff --git a/system_app.te b/system_app.te
index d274ac107944a6598f0ac69c54ef4840c66bc216..a8ad762c81223e643d28d24ddd5f1b311a3ffaea 100644
--- a/system_app.te
+++ b/system_app.te
@@ -4,5 +4,32 @@
 # server.
 #
 type system_app, domain;
+permissive system_app;
 app_domain(system_app)
-unconfined_domain(system_app)
+
+# Perform binder IPC to any app domain.
+binder_call(system_app, appdomain)
+
+# Read and write system data files.
+# May want to split into separate types.
+allow system_app system_data_file:dir create_dir_perms;
+allow system_app system_data_file:file create_file_perms;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Write to dalvikcache.
+allow system_app dalvikcache_data_file:file { write setattr };
+
+# Talk to keystore.
+unix_socket_connect(system_app, keystore, keystore)
+
+# Read SELinux enforcing status.
+selinux_getenforce(system_app)
+
+# Settings app reads sdcard for storage stats
+allow system_app sdcard_type:dir r_dir_perms;
+
+# Allow settings app to read from asec
+allow system_app asec_apk_file:dir search;
+allow system_app asec_apk_file:file r_file_perms;