diff --git a/adbd.te b/adbd.te
index f92414953a84908a3d93a5424e109510bdc7c434..074f35b001aa3e363f0fea22dcb019d8e1667bf0 100644
--- a/adbd.te
+++ b/adbd.te
@@ -15,6 +15,9 @@ allow adbd cgroup:dir { write add_name create };
 allow adbd labeledfs:filesystem remount;
 allow adbd shell_data_file:dir rw_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
 allow adbd graphics_device:dir search;
 allow adbd graphics_device:chr_file r_file_perms;
 allow adbd log_device:chr_file r_file_perms;
diff --git a/app.te b/app.te
index 76b765d37b836ecc90c337c2a6f03283e0306fee..90dfd96e3969e515ed63857098a115d9f334e68a 100644
--- a/app.te
+++ b/app.te
@@ -120,6 +120,7 @@ bool app_bluetooth false;
 if (app_bluetooth or android_cts) {
 # No specific SELinux class for bluetooth sockets presently.
 allow untrusted_app self:socket *;
+allow untrusted_app bluetooth:unix_stream_socket { read write shutdown };
 }
 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;
@@ -163,7 +164,7 @@ allow appdomain zygote:process sigchld;
 
 # Communicate over a FIFO or socket created by the system_server.
 allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write };
+allow appdomain system:unix_stream_socket { read write setopt };
 
 # Communicate over a socket created by surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
diff --git a/dhcp.te b/dhcp.te
index 0c533eb4097c72247acabdc54f4c8452eee53355..10ab788eddcadb7308e26ed73ac3be639318195e 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -4,16 +4,15 @@ type dhcp_data_file, file_type, data_file_type;
 type dhcp_system_file, file_type, data_file_type;
 
 init_daemon_domain(dhcp)
+net_domain(dhcp)
 
-allow dhcp cgroup:dir { create add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw };
-allow dhcp self:packet_socket { create setopt bind write read };
-allow dhcp self:netlink_route_socket { write nlmsg_write read create bind };
-allow dhcp self:udp_socket { create ioctl };
-allow dhcp shell_exec:file { read open execute };
-allow dhcp system_file:file execute_no_trans;
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms;
+allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
 allow dhcp proc:file write;
-allow dhcp property_socket:sock_file write ;
 allow dhcp system_prop:property_service set ;
 allow dhcp dhcp_system_file:file rx_file_perms;
 allow dhcp dhcp_system_file:dir r_dir_perms;
diff --git a/drmserver.te b/drmserver.te
index dcf3cc9527a3b00a9041babe35fd26c72ad259e0..9ef3189a80096be44f4ada620cf42652501f8950 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -18,4 +18,8 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver port:tcp_socket name_connect;
 allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver platform_app_data_file:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
diff --git a/file_contexts b/file_contexts
index b14a13448bfcb88c2cf6b5c1621babf7a7e446ad..7785f4e7c8e1b291f3a9c6fdc43c7cdc0dcd0f96 100644
--- a/file_contexts
+++ b/file_contexts
@@ -165,7 +165,7 @@
 /data/app(/.*)?		u:object_r:apk_data_file:s0
 /data/app/vmdl.*\.tmp	u:object_r:apk_tmp_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
-/data/local(/.*)?	u:object_r:shell_data_file:s0
+/data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 # Misc data
 /data/misc/bluetoothd(/.*)?	u:object_r:bluetoothd_data_file:s0
 /data/misc/bluetooth(/.*)?	u:object_r:bluetooth_data_file:s0
diff --git a/mediaserver.te b/mediaserver.te
index 85be2d5de214ee3c6e2e2f4a1db7c817423c0472..3e78ce2e5196a7c8d34f6269ef55186b3ade10ae 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -17,7 +17,8 @@ binder_service(mediaserver)
 
 allow mediaserver kernel:system module_request;
 allow mediaserver app_data_file:dir search;
-allow mediaserver app_data_file:file r_file_perms;
+allow mediaserver app_data_file:file rw_file_perms;
+allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver graphics_device:chr_file rw_file_perms;
diff --git a/shell.te b/shell.te
index bf9ee44a5d1d7709f1a73b8cd791bb3ed89ff8bd..2f1dd439ffb23b1974f12e5ee436028d8d018b54 100644
--- a/shell.te
+++ b/shell.te
@@ -5,6 +5,7 @@ allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:chr_file rw_file_perms;
 allow shell system_file:file x_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;
@@ -17,7 +18,7 @@ allow shell sdcard_type:dir rw_dir_perms;
 allow shell sdcard_type:file create_file_perms;
 
 r_dir_file(shell, apk_data_file)
-allow shell dalvikcache_data_file:file write;
+allow shell dalvikcache_data_file:file { write setattr };
 
 # Run logcat.
 allow shell log_device:chr_file r_file_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 30b18168894d2af809c83b37ee5dd7b94247a59c..a383ec11e38e14f0b4ae95197ff089b4cfcacea7 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -28,3 +28,7 @@ allow surfaceflinger self:netlink_kobject_uevent_socket *;
 allow surfaceflinger system_prop:property_service set;
 allow surfaceflinger ctl_default_prop:property_service set;
 
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger platform_app_data_file:file { read write };
+allow surfaceflinger app_data_file:file { read write };
diff --git a/system.te b/system.te
index cf92bca9f08c745f87d85a2ce536be86253c0e24..503bd3c719e648cc650800676af9877e5f20668d 100644
--- a/system.te
+++ b/system.te
@@ -66,6 +66,9 @@ bluetooth_domain(system)
 # XXX See if we can remove some of these.
 allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
 
+# Triggered by /proc/pid accesses, not allowed.
+dontaudit system self:capability sys_ptrace;
+
 # Trigger module auto-load.
 allow system kernel:system module_request;