diff --git a/adbd.te b/adbd.te
index d3f9905df979d68187b8affa27f5d0a2e45d4c95..f92414953a84908a3d93a5424e109510bdc7c434 100644
--- a/adbd.te
+++ b/adbd.te
@@ -4,7 +4,7 @@ type adbd, domain, mlstrustedsubject;
 allow adbd adb_device:chr_file rw_file_perms;
 allow adbd qemu_device:chr_file rw_file_perms;
 allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin };
-allow adbd rootfs:file entrypoint;
+allow adbd rootfs:file { read entrypoint };
 allow adbd init:process sigchld;
 allow adbd self:tcp_socket *;
 allow adbd self:unix_stream_socket *;
diff --git a/bluetooth.te b/bluetooth.te
index f43543c1fe7b1cd01c51d41335e77c9c2920fa04..ac7233f10518518691fbbb9d1ea53e2dc4f825e9 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,4 +1,23 @@
-# Domains that can create and use bluetooth sockets.
+# bluetooth subsystem
+type bluetooth, domain;
+app_domain(bluetooth)
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+
+# bluetooth factory file accesses.
+r_dir_file(bluetooth, bluetooth_efs_file)
+
+# Device accesses.
+allow bluetooth hci_attach_dev:chr_file rw_file_perms;
+allow bluetooth input_device:chr_file write;
+
+# sysfs access.
+allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+dontaudit bluetooth self:capability net_admin;
+
+# Other domains that can create and use bluetooth sockets.
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;
diff --git a/file.te b/file.te
index 70100a955bf80eaa6e43d4a376a4fa08cc5612b8..6bbda3afee5e7f579dddb7285dafd08e9e731e55 100644
--- a/file.te
+++ b/file.te
@@ -9,6 +9,7 @@ type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type inotify, fs_type, mlstrustedobject;
 type devpts, fs_type;
@@ -69,6 +70,7 @@ type asec_image_file, file_type, data_file_type;
 type bluetooth_efs_file, file_type;
 
 # Socket types
+type adbd_socket, file_type;
 type bluetooth_socket, file_type;
 type dbus_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
diff --git a/file_contexts b/file_contexts
index 713da7991bf243c1fcf53e58a0b72303847ea723..43e532a80100b9b9aa0f978d81c67c0df1c42d8c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -55,6 +55,7 @@
 /dev/s3c-mfc		u:object_r:graphics_device:s0
 /dev/snd(/.*)?		u:object_r:audio_device:s0
 /dev/socket		u:object_r:socket_device:s0
+/dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/bluetooth	u:object_r:bluetooth_socket:s0
 /dev/socket/dbus_bluetooth	u:object_r:bluetooth_socket:s0
 /dev/socket/dbus	u:object_r:dbus_socket:s0
@@ -127,6 +128,7 @@
 # Misc data
 /data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid(/.*)?	u:object_r:bluetooth_data_file:s0
 /data/misc/keystore(/.*)?	u:object_r:keystore_data_file:s0
 /data/misc/vpn(/.*)?		u:object_r:vpn_data_file:s0
 /data/misc/systemkeys(/.*)?	u:object_r:systemkeys_data_file:s0
@@ -150,6 +152,8 @@
 #
 /sys/qemu_trace/process_name	--	u:object_r:sysfs_writable:s0
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
+/sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
 #############################
 # asec containers
 /mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
diff --git a/keystore.te b/keystore.te
index 20e7222f758dc4dd941e09475f6f5f2b63c19ead..c44d254baf83eff4bfe1c986473fd3419e9acd49 100644
--- a/keystore.te
+++ b/keystore.te
@@ -3,6 +3,8 @@ type keystore_exec, exec_type, file_type;
 
 # keystore daemon
 init_daemon_domain(keystore)
+binder_use(keystore)
+binder_service(keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
diff --git a/seapp_contexts b/seapp_contexts
index f63da7c92982a194a2be7d65afc0ec6986d0074a..258477a9a4c1c8ec79c64d3c7b444a4796d6187f 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -33,6 +33,7 @@
 #
 isSystemServer=true domain=system
 user=system domain=system_app type=system_data_file
+user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
 user=_app domain=untrusted_app type=app_data_file levelFromUid=true
diff --git a/system.te b/system.te
index bace071a82103e25092a13a6e65d93ea2e9191d9..85b43470d4583299fe65015dde97e39a99b1a57b 100644
--- a/system.te
+++ b/system.te
@@ -82,8 +82,8 @@ allow system self:netlink_kobject_uevent_socket *;
 allow system appdomain:process { sigkill signal };
 
 # Set scheduling info for apps.
-allow system appdomain:process setsched;
-allow system mediaserver:process setsched;
+allow system appdomain:process { getsched setsched };
+allow system mediaserver:process { getsched setsched };
 
 # Read /proc data for apps.
 allow system appdomain:dir r_dir_perms;
diff --git a/zygote.te b/zygote.te
index 0601707db73777b53d76d5f1360c4e6d8984c36a..3350ce34386a9299183aeb8ad9e658f524127c5d 100644
--- a/zygote.te
+++ b/zygote.te
@@ -29,3 +29,9 @@ selinux_check_access(zygote)
 # Read /seapp_contexts, presently on the rootfs.
 allow zygote rootfs:file r_file_perms;
 
+# Setting up /storage/emulated.
+allow zygote rootfs:dir mounton;
+allow zygote sdcard:dir { write search setattr create add_name mounton };
+dontaudit zygote self:capability fsetid;
+allow zygote tmpfs:dir { write create add_name setattr mounton };
+allow zygote tmpfs:filesystem mount;