diff --git a/adbd.te b/adbd.te
index f92414953a84908a3d93a5424e109510bdc7c434..074f35b001aa3e363f0fea22dcb019d8e1667bf0 100644
--- a/adbd.te
+++ b/adbd.te
@@ -15,6 +15,9 @@ allow adbd cgroup:dir { write add_name create };
 allow adbd labeledfs:filesystem remount;
 allow adbd shell_data_file:dir rw_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
 allow adbd graphics_device:dir search;
 allow adbd graphics_device:chr_file r_file_perms;
 allow adbd log_device:chr_file r_file_perms;
diff --git a/app.te b/app.te
index de7b7d05daadadbb408a60cb8815f137e6eb5d15..6a4c0b758153c6b45bf541d28ac917b878f4dabd 100644
--- a/app.te
+++ b/app.te
@@ -89,8 +89,8 @@ net_domain(browser_app)
 allow platformappdomain platform_app_data_file:dir create_dir_perms;
 allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
 # App sdcard file accesses
-allow platformappdomain sdcard:dir create_dir_perms;
-allow platformappdomain sdcard:file create_file_perms;
+allow platformappdomain sdcard_type:dir create_dir_perms;
+allow platformappdomain sdcard_type:file create_file_perms;
 # System data file accesses (e.g, shared objects from the lib directory)
 allow platformappdomain system_data_file:file { execute open };
 
@@ -118,12 +118,19 @@ bool app_bluetooth false;
 if (app_bluetooth or android_cts) {
 # No specific SELinux class for bluetooth sockets presently.
 allow untrusted_app self:socket *;
+allow untrusted_app bluetooth:unix_stream_socket { read write shutdown };
 }
-# SDCard rw access.
-bool app_sdcard_rw true;
-if (app_sdcard_rw) {
-allow untrusted_app sdcard:dir create_dir_perms;
-allow untrusted_app sdcard:file create_file_perms;
+# Internal SDCard rw access.
+bool app_internal_sdcard_rw true;
+if (app_internal_sdcard_rw) {
+allow untrusted_app sdcard_internal:dir create_dir_perms;
+allow untrusted_app sdcard_internal:file create_file_perms;
+}
+# External SDCard rw access.
+bool app_external_sdcard_rw true;
+if (app_external_sdcard_rw) {
+allow untrusted_app sdcard_external:dir create_dir_perms;
+allow untrusted_app sdcard_external:file create_file_perms;
 }
 # Native app support.
 bool app_ndk false;
@@ -155,7 +162,7 @@ allow appdomain zygote:process sigchld;
 
 # Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write };
+allow appdomain system:unix_stream_socket { read write setopt };
 
 # Communicate over a socket created by surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
diff --git a/attributes b/attributes
index ef4a1708e75ba011e9e35c8b78927010a40b029a..7d491e2d4ea7c4faf8ae71bebd0f1fdee292d10b 100644
--- a/attributes
+++ b/attributes
@@ -24,6 +24,9 @@ attribute data_file_type;
 # All types use for sysfs files.
 attribute sysfs_type;
 
+# Attribute used for all sdcards
+attribute sdcard_type;
+
 # All types used for nodes/hosts.
 attribute node_type;
 
diff --git a/dhcp.te b/dhcp.te
index 0c533eb4097c72247acabdc54f4c8452eee53355..10ab788eddcadb7308e26ed73ac3be639318195e 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -4,16 +4,15 @@ type dhcp_data_file, file_type, data_file_type;
 type dhcp_system_file, file_type, data_file_type;
 
 init_daemon_domain(dhcp)
+net_domain(dhcp)
 
-allow dhcp cgroup:dir { create add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw };
-allow dhcp self:packet_socket { create setopt bind write read };
-allow dhcp self:netlink_route_socket { write nlmsg_write read create bind };
-allow dhcp self:udp_socket { create ioctl };
-allow dhcp shell_exec:file { read open execute };
-allow dhcp system_file:file execute_no_trans;
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms;
+allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
 allow dhcp proc:file write;
-allow dhcp property_socket:sock_file write ;
 allow dhcp system_prop:property_service set ;
 allow dhcp dhcp_system_file:file rx_file_perms;
 allow dhcp dhcp_system_file:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
index 63286d55822f284c5379aa07d8374a8f9fafe9c1..9ef3189a80096be44f4ada620cf42652501f8950 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -14,8 +14,12 @@ binder_service(drmserver)
 # Perform Binder IPC to mediaserver
 binder_call(drmserver, mediaserver)
 
-allow drmserver sdcard:dir search;
+allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
 allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
diff --git a/file.te b/file.te
index 484b8fe742ab05ffcbe83f1d08ffbb413bfe4e2d..65788df5bcb1d678e824c075ff9c43e07e107ba5 100644
--- a/file.te
+++ b/file.te
@@ -16,7 +16,8 @@ type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;
-type sdcard, fs_type, mlstrustedobject;
+type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
+type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, mlstrustedobject;
 
 # File types
diff --git a/file_contexts b/file_contexts
index 0d2db388b72fb820a57670a19e110b39528df983..d81d5a45d1f3a5413c0b1f16c922fa30c2ad92b2 100644
--- a/file_contexts
+++ b/file_contexts
@@ -153,7 +153,7 @@
 /data/app(/.*)?		u:object_r:apk_data_file:s0
 /data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
-/data/local(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 # Misc data
 /data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index ff633a76be5fb0c4faa793385d4693f931a1d090..2607b9dabf9e1a9cedb8ba9ea8688297d2a9d627 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -9,6 +9,6 @@ genfscon cgroup / u:object_r:cgroup:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard:s0
+genfscon vfat / u:object_r:sdcard_external:s0
 genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard:s0
+genfscon fuse / u:object_r:sdcard_internal:s0
diff --git a/mediaserver.te b/mediaserver.te
index f941c6a63ebd279e261736e4028eb0529a3b3a16..9a0ef1d72158c0ca1a2eb326333b77d623943c55 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -8,7 +8,7 @@ net_domain(mediaserver)
 init_daemon_domain(mediaserver)
 unix_socket_connect(mediaserver, property, init)
 
-r_dir_file(mediaserver, sdcard)
+r_dir_file(mediaserver, sdcard_type)
 
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
@@ -17,8 +17,9 @@ binder_service(mediaserver)
 
 allow mediaserver kernel:system module_request;
 allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file r_file_perms;
-allow mediaserver sdcard:file write;
+allow mediaserver app_data_file:file rw_file_perms;
+allow mediaserver platform_app_data_file:file { getattr read };
+allow mediaserver sdcard_type:file write;
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver graphics_device:chr_file rw_file_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/rild.te b/rild.te
index 917634807475dd11071e0585bf55f5a5c0948aa5..c331bb327d25cca72da65b1ae9088bae009e634b 100644
--- a/rild.te
+++ b/rild.te
@@ -23,7 +23,7 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
 allow rild radio_data_file:dir r_dir_perms;
 allow rild radio_data_file:file rw_file_perms;
 allow rild radio_device:lnk_file r_file_perms;
-allow rild sdcard:dir r_dir_perms;
+allow rild sdcard_type:dir r_dir_perms;
 allow rild system_data_file:dir create_dir_perms;
 allow rild system_data_file:file create_file_perms;
 allow rild system_file:file x_file_perms;
diff --git a/sdcardd.te b/sdcardd.te
index 84471d795042521ed6db53b88d6b5bc068827f9c..4445183a0a0a37ce37d680f2a1662fd01c37b78b 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -6,8 +6,7 @@ init_daemon_domain(sdcardd)
 allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;
-allow sdcardd sdcard:filesystem mount;
-allow sdcardd self:capability { setuid setgid dac_override };
+allow sdcardd sdcard_type:filesystem mount;
+allow sdcardd self:capability { setuid setgid dac_override sys_admin };
 allow sdcardd system_data_file:dir  create_dir_perms;
 allow sdcardd system_data_file:file create_file_perms;
-
diff --git a/shell.te b/shell.te
index 5b4d843e21b045e686571290edb29fa2db3c0336..2f1dd439ffb23b1974f12e5ee436028d8d018b54 100644
--- a/shell.te
+++ b/shell.te
@@ -5,6 +5,7 @@ allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:chr_file rw_file_perms;
 allow shell system_file:file x_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;
@@ -13,11 +14,11 @@ allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 
 # Access sdcard.
-allow shell sdcard:dir rw_dir_perms;
-allow shell sdcard:file create_file_perms;
+allow shell sdcard_type:dir rw_dir_perms;
+allow shell sdcard_type:file create_file_perms;
 
 r_dir_file(shell, apk_data_file)
-allow shell dalvikcache_data_file:file write;
+allow shell dalvikcache_data_file:file { write setattr };
 
 # Run logcat.
 allow shell log_device:chr_file r_file_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 30b18168894d2af809c83b37ee5dd7b94247a59c..a383ec11e38e14f0b4ae95197ff089b4cfcacea7 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -28,3 +28,7 @@ allow surfaceflinger self:netlink_kobject_uevent_socket *;
 allow surfaceflinger system_prop:property_service set;
 allow surfaceflinger ctl_default_prop:property_service set;
 
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger platform_app_data_file:file { read write };
+allow surfaceflinger app_data_file:file { read write };
diff --git a/system.te b/system.te
index a872516596adca972fa35df904212b5ff08070dc..a2a576c06b48eb47e5a3517da180ea8569ea1fb8 100644
--- a/system.te
+++ b/system.te
@@ -28,7 +28,7 @@ selinux_getenforce(system)
 selinux_getenforce(system_app)
 
 # Settings app reads sdcard for storage stats
-allow system_app sdcard:dir r_dir_perms;
+allow system_app sdcard_type:dir r_dir_perms;
 
 bool manage_selinux true;
 if (manage_selinux) {
@@ -66,6 +66,9 @@ bluetooth_domain(system)
 # XXX See if we can remove some of these.
 allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
 
+# Triggered by /proc/pid accesses, not allowed.
+dontaudit system self:capability sys_ptrace;
+
 # Trigger module auto-load.
 allow system kernel:system module_request;
 
diff --git a/vold.te b/vold.te
index 60d6a37296f1a2c8c3c343d0c441b8f98bdaf607..c1b9055035a9a126b33a747f15052113e1ee7053 100644
--- a/vold.te
+++ b/vold.te
@@ -10,9 +10,9 @@ allow vold block_device:blk_file create_file_perms;
 allow vold block_device:lnk_file read;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
-allow vold sdcard:dir mounton;
-allow vold sdcard:filesystem { mount remount unmount };
-allow vold sdcard:dir create_dir_perms;
+allow vold sdcard_type:dir mounton;
+allow vold sdcard_type:filesystem { mount remount unmount };
+allow vold sdcard_type:dir create_dir_perms;
 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
diff --git a/zygote.te b/zygote.te
index 743af36d4a75c980c9c289e6814915229a41792d..24e4189e0b4e331ffe2ddb561fd8510e9f8a94ae 100644
--- a/zygote.te
+++ b/zygote.te
@@ -33,7 +33,7 @@ allow zygote rootfs:file r_file_perms;
 
 # Setting up /storage/emulated.
 allow zygote rootfs:dir mounton;
-allow zygote sdcard:dir { write search setattr create add_name mounton };
+allow zygote sdcard_type:dir { write search setattr create add_name mounton };
 dontaudit zygote self:capability fsetid;
 allow zygote tmpfs:dir { write create add_name setattr mounton };
 allow zygote tmpfs:filesystem mount;