diff --git a/drmserver.te b/drmserver.te
index 8727bc175d5a70e00e8d4f2724fe50fcc9f1138b..b465430ca55c9fd986d4d02a5b97ed46d3f04f34 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -1,6 +1,36 @@
 # drmserver - DRM service
 type drmserver, domain;
+permissive drmserver;
 type drmserver_exec, exec_type, file_type;
 
 init_daemon_domain(drmserver)
-unconfined_domain(drmserver)
+typeattribute drmserver mlstrustedsubject;
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
+allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver { app_data_file asec_apk_file }:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
+allow drmserver efs_file:file { open read getattr };
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket.  Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+allow drmserver drmserver_socket:sock_file create_file_perms;
+allow drmserver tee:unix_stream_socket connectto;