diff --git a/app.te b/app.te
index c91f566bd33cbfc8fd6d98c273c47db7833faac2..00ec4503108f438aaa9ffb76a81aedc3f7c9d48b 100644
--- a/app.te
+++ b/app.te
@@ -7,6 +7,7 @@
 # Apps signed with the platform key.
 #
 type platform_app, domain;
+permissive platform_app;
 app_domain(platform_app)
 platform_app_domain(platform_app)
 # Access the network.
@@ -31,6 +32,7 @@ allow platform_app download_file:file rw_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
+permissive media_app;
 app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
@@ -54,6 +56,7 @@ allow media_app download_file:dir relabelto;
 
 # Apps signed with the shared key.
 type shared_app, domain;
+permissive shared_app;
 app_domain(shared_app)
 platform_app_domain(shared_app)
 # Access the network.
@@ -65,6 +68,7 @@ r_dir_file(shared_app, asec_apk_file)
 
 # Apps signed with the release key (testkey in AOSP).
 type release_app, domain;
+permissive release_app;
 app_domain(release_app)
 platform_app_domain(release_app)
 # Access the network.
@@ -76,6 +80,7 @@ bluetooth_domain(release_app)
 # In order for isolated_apps to interact with apps that have levelFromUid=true
 # set it must be an mlstrustedsubject.
 type isolated_app, domain, mlstrustedsubject;
+permissive isolated_app;
 app_domain(isolated_app)
 
 #
@@ -94,6 +99,7 @@ allow platformappdomain sdcard_type:file create_file_perms;
 # Untrusted apps.
 #
 type untrusted_app, domain;
+permissive untrusted_app;
 app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
diff --git a/bluetooth.te b/bluetooth.te
index a7b9a4eb8cca4b13120ef8b7cb8070217116e78b..e87065a4b647f8fec5cdacc80ea2f62761920323 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -1,5 +1,6 @@
 # bluetooth subsystem
 type bluetooth, domain;
+permissive bluetooth;
 app_domain(bluetooth)
 
 # Data file accesses.
diff --git a/bluetoothd.te b/bluetoothd.te
index 640a1da2e6eef4ef7b0edf02080ed4276169fe38..17660384a1f96546a091be1d4d8b25fd7bc7457e 100644
--- a/bluetoothd.te
+++ b/bluetoothd.te
@@ -1,5 +1,6 @@
 # bluetoothd - bluetooth daemon
 type bluetoothd, domain;
+permissive bluetoothd;
 type bluetoothd_exec, exec_type, file_type;
 
 init_daemon_domain(bluetoothd)
diff --git a/dbusd.te b/dbusd.te
index 6ffc836efc73f80f6c860dd3d916b78e9202d922..56b1d75abca9c6c7af1f81ec27a750a42e133c04 100644
--- a/dbusd.te
+++ b/dbusd.te
@@ -1,5 +1,6 @@
 # dbus daemon
 type dbusd, domain;
+permissive dbusd;
 type dbusd_exec, exec_type, file_type;
 
 init_daemon_domain(dbusd)
diff --git a/debuggerd.te b/debuggerd.te
index aca499b9bf3e9c7dd5f9276c9d70d37d4e632dc4..131c56c529c4e2c277452fdc048efcacf019f49b 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,5 +1,6 @@
 # debugger interface
 type debuggerd, domain;
+permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
diff --git a/dhcp.te b/dhcp.te
index b806a89a031c2e537211a8fc3427c87fae81fc5a..a6e2036bab480d4bccf3f013b08c14a9e25d727a 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -1,4 +1,5 @@
 type dhcp, domain;
+permissive dhcp;
 type dhcp_exec, exec_type, file_type;
 type dhcp_data_file, file_type, data_file_type;
 type dhcp_system_file, file_type, data_file_type;
diff --git a/drmserver.te b/drmserver.te
index 0b34eb787aa3e3ea44e29ae54abb98125818bdf4..79f86137d2c8c12f1e458f5de092ee35a5fe004b 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,5 +1,6 @@
 # drmserver - DRM service
 type drmserver, domain;
+permissive drmserver;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
diff --git a/file_contexts b/file_contexts
index 19491f96187bfa72cc7a692fbfc49fd21cfe19c5..766bf5999edfa1011dcd8a51410063c2ed0895ce 100644
--- a/file_contexts
+++ b/file_contexts
@@ -172,6 +172,7 @@
 /data/app-private/vmdl.*\.tmp	u:object_r:apk_private_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp/selinux(/.*)?   u:object_r:tombstone_data_file:s0
 # Misc data
 /data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
diff --git a/gpsd.te b/gpsd.te
index 8010efa0d5d41b5c66d13ea0a430a4465095e7d1..a7b2f1e36df8f06a67f915f93006c67ec538948b 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -1,5 +1,6 @@
 # gpsd - GPS daemon
 type gpsd, domain;
+permissive gpsd;
 type gpsd_exec, exec_type, file_type;
 
 init_daemon_domain(gpsd)
diff --git a/hci_attach.te b/hci_attach.te
index 3cb0953e545835b3c64ff52de0f724e1b8e010f9..2a55d512b177896a539e7898ff336b1124da9d10 100644
--- a/hci_attach.te
+++ b/hci_attach.te
@@ -1,4 +1,5 @@
 type hci_attach, domain;
+permissive hci_attach;
 type hci_attach_exec, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
diff --git a/init.te b/init.te
index 0f9b697307109d43be1bb2b69993cf8bf32359ce..9c1c8ce94ca4f14195fa48faaf7a622de8f805cf 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,6 @@
 # init switches to init domain (via init.rc).
 type init, domain;
+permissive init;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
diff --git a/installd.te b/installd.te
index 428e3790ddb0fee7ab7ab169fc27a7c721d38ba9..2b983db128b71df13c271671d18090987beb86e3 100644
--- a/installd.te
+++ b/installd.te
@@ -1,5 +1,6 @@
 # installer daemon
 type installd, domain;
+permissive installd;
 type installd_exec, exec_type, file_type;
 
 init_daemon_domain(installd)
diff --git a/kernel.te b/kernel.te
index 66c7b13f9abd3443562424084ddc5d90b82b0f7a..5502ed88da4eea4b33402aadad22f5869b79affd 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,4 +1,5 @@
 # Life begins with the kernel.
 type kernel, domain;
+permissive kernel;
 # The kernel is unconfined.
 unconfined_domain(kernel)
diff --git a/keystore.te b/keystore.te
index c44d254baf83eff4bfe1c986473fd3419e9acd49..e6eacf0f9de4e082cacd6110b5544f7800837006 100644
--- a/keystore.te
+++ b/keystore.te
@@ -1,4 +1,5 @@
 type keystore, domain;
+permissive keystore;
 type keystore_exec, exec_type, file_type;
 
 # keystore daemon
diff --git a/mediaserver.te b/mediaserver.te
index 3e78ce2e5196a7c8d34f6269ef55186b3ade10ae..7d2b9cb55e3fc6863bd32a64b273e6e62cbcfaf0 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,5 +1,6 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
+permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
diff --git a/mtp.te b/mtp.te
index b458e69ba635b52070ae4f5efd3917d28a580777..4331cbfadc7cfa2782b3413a47398ba43ead7cf4 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,5 +1,6 @@
 # vpn tunneling protocol manager
 type mtp, domain;
+permissive mtp;
 type mtp_exec, exec_type, file_type;
 
 init_daemon_domain(mtp)
diff --git a/netd.te b/netd.te
index af7d15d3396494f5955298f4f481ba22833ba8cb..297f570315d1110adece40f7af846eba212fdb75 100644
--- a/netd.te
+++ b/netd.te
@@ -1,5 +1,6 @@
 # network manager
 type netd, domain;
+permissive netd;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
diff --git a/nfc.te b/nfc.te
index 9a354bb58a1b8216d7ba08a45e70e8f4823bc181..efb1a14b556d77fd11719f0bb0ee03df95adea7a 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,5 +1,6 @@
 # nfc subsystem
 type nfc, domain;
+permissive nfc;
 app_domain(nfc)
 
 # NFC device access.
diff --git a/ping.te b/ping.te
index 5b8bc953b0db22a8ff0e160e32a538b3da4a07ce..df9e624ac53b697664262a8b502f21f04424cfaa 100644
--- a/ping.te
+++ b/ping.te
@@ -1,4 +1,5 @@
 type ping, domain;
+permissive ping;
 type ping_exec, file_type;
 domain_auto_trans(shell, ping_exec, ping)
 
diff --git a/ppp.te b/ppp.te
index 115fb987754e2e1ea0a6de54ba093bf97dbcd858..85d37a7a24cfb3476143fc6e26c02f4a842917ff 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,5 +1,6 @@
 # Point to Point Protocol daemon
 type ppp, domain;
+permissive ppp;
 type ppp_device, dev_type;
 type ppp_exec, exec_type, file_type;
 type ppp_system_file, file_type;
diff --git a/qemud.te b/qemud.te
index ec6c816d03f590b5b59ac4046be3f9a4fdcbf02f..ab99291b29d38c0a8a8ff158ea6cfcbf1f94b29d 100644
--- a/qemud.te
+++ b/qemud.te
@@ -1,5 +1,6 @@
 # qemu support daemon
 type qemud, domain;
+permissive qemud;
 type qemud_exec, exec_type, file_type;
 
 init_daemon_domain(qemud)
diff --git a/racoon.te b/racoon.te
index 9f556e0b87a57418d4fa0348dfb2ef25ae09bd8c..4cebb7bd2a8d4706f0a67c219a7568cf3303931c 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,6 @@
 # IKE key management daemon
 type racoon, domain;
+permissive racoon;
 type racoon_exec, exec_type, file_type;
 
 init_daemon_domain(racoon)
diff --git a/radio.te b/radio.te
index a119d75cfd523e56918818a8841003539f48e2d2..9de8aba22a03ec0ff6b3b33d3f15a315917eb71f 100644
--- a/radio.te
+++ b/radio.te
@@ -1,5 +1,6 @@
 # phone subsystem
 type radio, domain;
+permissive radio;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
diff --git a/rild.te b/rild.te
index b224baca315717bbaece443f121b828eef5cb4ad..c2fcda91ede443f5d85cb643ceb4fced63b52cc1 100644
--- a/rild.te
+++ b/rild.te
@@ -1,5 +1,6 @@
 # rild - radio interface layer daemon
 type rild, domain;
+permissive rild;
 type rild_exec, exec_type, file_type;
 
 init_daemon_domain(rild)
diff --git a/sdcardd.te b/sdcardd.te
index c79854508b6f8e0672e71adf3c8a11fec23617e8..3e556c3a57807712f05c7a048e754bc5787004d8 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,4 +1,5 @@
 type sdcardd, domain;
+permissive sdcardd;
 type sdcardd_exec, exec_type, file_type;
 
 init_daemon_domain(sdcardd)
diff --git a/servicemanager.te b/servicemanager.te
index a78a485bb4273f2a099ddca232fcab1912bec428..dc0f15e13ce09daf2a3d468973b602337f3bf497 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -1,5 +1,6 @@
 # servicemanager - the Binder context manager
 type servicemanager, domain;
+permissive servicemanager;
 type servicemanager_exec, exec_type, file_type;
 
 init_daemon_domain(servicemanager)
diff --git a/su.te b/su.te
index 75e6214067f709d3961e3e78db05ab32b2c134f4..ca9fcc23701eaedcf9ce8a157bf9a54df1cd70b9 100644
--- a/su.te
+++ b/su.te
@@ -1,4 +1,5 @@
 type su, domain;
+permissive su;
 type su_exec, file_type;
 domain_auto_trans(shell, su_exec, su)
 
diff --git a/surfaceflinger.te b/surfaceflinger.te
index a383ec11e38e14f0b4ae95197ff089b4cfcacea7..4244d01ed1193a7777c02c134195e016c5804716 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,5 +1,6 @@
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
+permissive surfaceflinger;
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
diff --git a/system.te b/system.te
index 4d963c4c1cb1a63425f6d90910e05a6023c70222..666860ae268b9e21851d0bf14e790549cf65f1f5 100644
--- a/system.te
+++ b/system.te
@@ -4,6 +4,7 @@
 # server.
 #
 type system_app, domain;
+permissive system_app;
 app_domain(system_app)
 
 # Perform binder IPC to any app domain.
diff --git a/te_macros b/te_macros
index 1245c8a565510c355c454e42d68a6a79626ce721..1c78c96d0c911a380c04c546decf0f4d695afa05 100644
--- a/te_macros
+++ b/te_macros
@@ -232,6 +232,7 @@ allow $1 kernel:security setbool;
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
+allow $1 security_file:lnk_file read;
 allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file r_file_perms;
 allow $1 rootfs:dir r_dir_perms;
diff --git a/tee.te b/tee.te
index d5e8ff7d49427f6cc278fc42635fa1f07982087d..dad3505c6dfef8324e836408bd5c2c93e557b215 100644
--- a/tee.te
+++ b/tee.te
@@ -2,6 +2,7 @@
 # trusted execution environment (tee) daemon
 #
 type tee, domain;
+permissive tee;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
 type tee_data_file, file_type, data_file_type;
diff --git a/ueventd.te b/ueventd.te
index fa03acf70256d8cddaca1c27037a188a157453d6..271718281c14f3b744f460b640585451c24c5c83 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -1,6 +1,7 @@
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
+permissive ueventd;
 tmpfs_domain(ueventd)
 write_klog(ueventd)
 security_access_policy(ueventd)
diff --git a/vold.te b/vold.te
index 8dd213714b9aa73ed7ac4e8446c51faaa9d44b9d..fa76a55f20235a3886664489c867524f0f427250 100644
--- a/vold.te
+++ b/vold.te
@@ -1,5 +1,6 @@
 # volume manager
 type vold, domain;
+permissive vold;
 type vold_exec, exec_type, file_type;
 
 init_daemon_domain(vold)
diff --git a/watchdogd.te b/watchdogd.te
index 18824ccf204c85fb3497511059be3615db7a155b..76f8244d2d3741a48f52ad39958443af21304a6f 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,5 +1,6 @@
 # watchdogd seclabel is specified in init.<board>.rc
 type watchdogd, domain;
+permissive watchdogd;
 allow watchdogd rootfs:file { entrypoint r_file_perms };
 allow watchdogd self:capability mknod;
 allow watchdogd device:dir { add_name write remove_name };
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index be1bf2563d5ac1922695c1e32e176cea0cf8313d..2c4ea604440a438df36d53721529fee84d587602 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -1,5 +1,6 @@
 # wpa - wpa supplicant or equivalent
 type wpa, domain;
+permissive wpa;
 type wpa_exec, exec_type, file_type;
 
 init_daemon_domain(wpa)
diff --git a/zygote.te b/zygote.te
index 773318ea16a89091fbe96ebf4993ba5d55ca9a36..90a9b3dca72ac0f1b1f71fe1f097ede8b25d231c 100644
--- a/zygote.te
+++ b/zygote.te
@@ -1,5 +1,6 @@
 # zygote
 type zygote, domain;
+permissive zygote;
 type zygote_exec, exec_type, file_type;
 
 init_daemon_domain(zygote)