diff --git a/adbd.te b/adbd.te
index 4d1e655734883a9f80204a4e934d08ac971c5afb..cc2920b34838c42270d214f6aa46267aaf5582cb 100644
--- a/adbd.te
+++ b/adbd.te
@@ -23,9 +23,10 @@ unix_socket_connect(adbd, vold, vold)
 # Talk to init via the property socket.
 unix_socket_connect(adbd, property, init)
 
-# Read properties.
-allow adbd kernel:fd use;
-allow adbd tmpfs:file read;
+# Run sh in its own domain.
+domain_auto_trans(adbd, shell_exec, shell)
+# Do not sanitize the environment of the shell.
+allow adbd shell:process noatsecure;
 
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
diff --git a/app.te b/app.te
index 976b6bcf42e9c9779b59f9bc6353aa334bb5ea81..6cc499aa3e1d99fffab32fca26e1bdd417a030d8 100644
--- a/app.te
+++ b/app.te
@@ -30,9 +30,6 @@ allow trusted_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
 # It would be better if this was labeled differently.
 allow trusted_app apk_data_file:file write;
-# Perform binder IPC to any app domain.
-binder_call(trusted_app, appdomain)
-binder_transfer(trusted_app, appdomain)
 
 #
 # An example of a specific domain for a specific app
@@ -105,6 +102,6 @@ binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
 binder_transfer(appdomain, binderservicedomain)
-# Perform binder IPC to apps in the trusted_app domain.
-binder_call(appdomain, trusted_app)
-binder_transfer(appdomain, trusted_app)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+binder_transfer(appdomain, appdomain)
diff --git a/debuggerd.te b/debuggerd.te
index f808ea9b95996e2f6028078945134f26d82f9cce..b85133b9da2a988adb89b73591f5e5f33aafa952 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -12,3 +12,4 @@ allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd domain:process { sigstop signal };
 allow debuggerd exec_type:file r_file_perms;
+allow debuggerd log_device:chr_file r_file_perms;
diff --git a/domain.te b/domain.te
index 55c9ecd4c628fe4e12505b51ddeb66ba739dae71..2e9720e14d9750ee8ec75b2f541791673d47df2d 100644
--- a/domain.te
+++ b/domain.te
@@ -3,6 +3,10 @@
 # Allow reaping by init.
 allow domain init:process sigchld;
 
+# Read access to properties mapping.
+allow domain kernel:fd use;
+allow domain tmpfs:file read;
+
 # binder adjusts the nice value during IPC.
 allow domain self:capability sys_nice;
 
@@ -29,7 +33,7 @@ allow domain debuggerd:unix_stream_socket connectto;
 
 # Root fs.
 allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:lnk_file read;
+allow domain rootfs:lnk_file { read getattr };
 
 # Device accesses.
 allow domain device:dir search;
diff --git a/drmserver.te b/drmserver.te
index 5b46ea88ce49d987f736209946498416673ec1fb..624ae13278f45d7e55b6ea6edaf12a183ffb63bf 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -8,3 +8,9 @@ typeattribute drmserver mlstrustedsubject;
 # Perform Binder IPC to system server.
 binder_use(drmserver)
 binder_call(drmserver, system)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+allow drmserver sdcard:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
diff --git a/file.te b/file.te
index 11c3ef649896518fa79503016b187f12fe0d4f12..dc9e768216f3f52196c46f045db48c995d73de84 100644
--- a/file.te
+++ b/file.te
@@ -22,6 +22,8 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type;
 # /data/anr - ANR traces
 type anr_data_file, file_type, data_file_type;
 # /data/tombstones - core dumps
diff --git a/file_contexts b/file_contexts
index 92c6bb0f4f137c973932ee103cbd352cc2126524..79a3124b12b76e3930492147fbdfb764edfbbd1b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -101,6 +101,7 @@
 # Data files
 #
 /data(/.*)?		u:object_r:system_data_file:s0
+/data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
diff --git a/shell.te b/shell.te
index a66eaf49fac28a547e58bbde5bb854c562adedce..56250ab5850bea4c39b8025b9c7e10f0112b533e 100644
--- a/shell.te
+++ b/shell.te
@@ -1,6 +1,7 @@
 type shell, domain;
 type shell_exec, file_type;
 domain_auto_trans(adbd, shell_exec, shell)
+allow adbd shell:process noatsecure;
 domain_auto_trans(init, shell_exec, shell)
 allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
@@ -13,9 +14,9 @@ allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 
-# Read properties.
-allow shell kernel:fd use;
-allow shell tmpfs:file read;
+# Access sdcard.
+allow shell sdcard:dir rw_dir_perms;
+allow shell sdcard:file rw_file_perms;
 
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file write;
diff --git a/system.te b/system.te
index ef0d12e5a0332311e2d231fee41bc544679678b5..47e1eeba129edd366cfab61189731b56ff76506e 100644
--- a/system.te
+++ b/system.te
@@ -141,7 +141,7 @@ allow system cache_file:file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system system_file:file x_file_perms;
 
-# Silently deny any /proc accesses that are not allowed.
-# This suppresses noise from walking the process list.
-dontaudit system domain:dir r_dir_perms;
-dontaudit system domain:file r_file_perms;
+# Allow reading of /proc/pid data for other domains.
+# XXX dontaudit candidate
+allow system domain:dir r_dir_perms;
+allow system domain:file r_file_perms;
diff --git a/te_macros b/te_macros
index 75f294c00bc953266375659aafbf03d4d9eb9030..9146e220b074a77f1547b58dedf227b3623effef 100644
--- a/te_macros
+++ b/te_macros
@@ -97,9 +97,6 @@ allow $1 $1_tmpfs:file { read execute execmod };
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
 tmpfs_domain($1)
-# Read properties.
-allow $1 kernel:fd use;
-allow $1 tmpfs:file read;
 ')
 
 #####################################
diff --git a/ueventd.te b/ueventd.te
index 89dd9ee933dbf18e96e63734d436d018997f4339..5e513322cdeff3830ddbf3b505b90d01075ab059 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -16,6 +16,3 @@ allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { create setattr unlink };
 allow ueventd dev_type:blk_file { create setattr unlink };
 allow ueventd self:netlink_kobject_uevent_socket *;
-# Read properties.
-allow ueventd kernel:fd use;
-allow ueventd tmpfs:file read;