diff --git a/app.te b/app.te
index f844221a13f2559171f8f0068a022c5804d861f1..028bf4544d9f7ac969ed5d2fadad21b02585c101 100644
--- a/app.te
+++ b/app.te
@@ -24,6 +24,9 @@ allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
+# Read/[open] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow platform_app qtaguid_proc:file { open };
+allow platform_app qtaguid_device:chr_file r_file_perms;
 
 # Apps signed with the media key.
 type media_app, domain;
diff --git a/debuggerd.te b/debuggerd.te
index 8ff37474c00158699034efa09c7ab3dcef8442fd..653d0039689ac2bad3554556dc751fadc84b03cd 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -5,6 +5,7 @@ type debuggerd_exec, exec_type, file_type;
 init_daemon_domain(debuggerd)
 typeattribute debuggerd mlstrustedsubject;
 allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:process ptrace;
diff --git a/drmserver.te b/drmserver.te
index 624ae13278f45d7e55b6ea6edaf12a183ffb63bf..f30033a2f5265e3806ba25c00cc3465158a8a70d 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -11,6 +11,10 @@ binder_call(drmserver, system)
 binder_call(drmserver, appdomain)
 binder_service(drmserver)
 
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
 allow drmserver sdcard:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;
diff --git a/keystore.te b/keystore.te
index 43c913a8560894c794d811c5ac507396745e2bde..6c4d61026fbb0955696d350dab10174a6965f756 100644
--- a/keystore.te
+++ b/keystore.te
@@ -5,3 +5,4 @@ type keystore_exec, exec_type, file_type;
 init_daemon_domain(keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
diff --git a/mediaserver.te b/mediaserver.te
index 1b97eed725c8bd5fb33305c99fe1c00589b91590..c8adf3ac185bfd9c734bb59648360de81a615601 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -9,6 +9,7 @@ allow mediaserver kernel:system module_request;
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
+binder_transfer(mediaserver, surfaceflinger)
 binder_service(mediaserver)
 allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file r_file_perms;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index 8860ef9ddf51fe3787105d32ef6dcc792ad30719..be1bf2563d5ac1922695c1e32e176cea0cf8313d 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -14,3 +14,7 @@ allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system)
 allow wpa random_device:chr_file r_file_perms;
+
+# Create a socket for receiving info from wpa
+type_transition wpa wifi_data_file:sock_file wpa_socket;
+allow wpa wpa_socket:sock_file create_file_perms;