diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te
index ba721f4..6de0f79 100644
--- a/sepolicy/adsprpcd.te
+++ b/sepolicy/adsprpcd.te
@@ -1,6 +1,8 @@
 allow adsprpcd mnt_vendor_file:dir create_dir_perms;
 allow adsprpcd mnt_vendor_file:file create_file_perms;
 
+allow adsprpcd vendor_file:dir read;
+
 allow adsprpcd sysfs_sensors:dir r_dir_perms;
 allow adsprpcd sysfs_sensors:file r_file_perms;
 allow adsprpcd sysfs_sensors:lnk_file r_file_perms;
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
new file mode 100644
index 0000000..1fccd3b
--- /dev/null
+++ b/sepolicy/bootanim.te
@@ -0,0 +1 @@
+allow bootanim userspace_reboot_exported_prop:file { getattr open read };
diff --git a/sepolicy/hal_bluetooth_qti.te b/sepolicy/hal_bluetooth_qti.te
index 713f1c9..bef81f6 100644
--- a/sepolicy/hal_bluetooth_qti.te
+++ b/sepolicy/hal_bluetooth_qti.te
@@ -5,6 +5,8 @@ allow hal_bluetooth_qti bluetooth_efs_file:file create_file_perms;
 
 allow hal_bluetooth_qti diag_device:chr_file rw_file_perms;
 
+allow hal_bluetooth_qti sysfs:file write;
+
 r_dir_file(hal_bluetooth_qti, vendor_convergence_data_file)
 
 get_prop(hal_bluetooth_qti, vendor_factory_prop)
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
index 5f290f6..f242995 100644
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@@ -19,3 +19,5 @@ allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms
 
 allow hal_fingerprint_default vendor_data_file:dir create_dir_perms;
 allow hal_fingerprint_default vendor_data_file:file create_file_perms;
+
+allow hal_fingerprint_default fingerprintd_data_file:dir write;
diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te
index db6acc3..e01d464 100644
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@@ -7,3 +7,11 @@ allow hal_gnss_qti vendor_data_file:dir rw_dir_perms;
 
 allow hal_gnss_qti vendor_gps_file:dir rw_dir_perms;
 allow hal_gnss_qti vendor_gps_file:file create_file_perms;
+
+allow hal_gnss_qti csc_prop:file { getattr open read };
+
+allow hal_gnss_qti qmuxd:unix_stream_socket connectto;
+allow hal_gnss_qti qmuxd_socket:dir { add_name write };
+allow hal_gnss_qti qmuxd_socket:sock_file { create write };
+
+allow hal_gnss_qti sysfs:file { getattr open write };
diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te
index 99a4436..720cf1d 100644
--- a/sepolicy/hal_health_default.te
+++ b/sepolicy/hal_health_default.te
@@ -1,5 +1,11 @@
 allow hal_health_default mnt_vendor_file:dir search;
 
+allow hal_health_default app_efs_file:file { setattr write };
+
+allow hal_health_default default_android_hwservice:hwservice_manager add;
+
+allow hal_health_default sysfs:file { getattr open read write };
+
 r_dir_file(hal_health_default, app_efs_file)
 r_dir_file(hal_health_default, efs_file)
 r_dir_file(hal_health_default, battery_efs_file)
diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te
index c333929..8dd4d06 100644
--- a/sepolicy/hal_perf_default.te
+++ b/sepolicy/hal_perf_default.te
@@ -1,5 +1,12 @@
 allow hal_perf_default self:capability kill;
+allow hal_perf_default self:capability dac_override;
 
 allow hal_perf_default proc_sched:file rw_file_perms;
 
+allow hal_perf_default property_socket:sock_file write;
+
+allow hal_perf_default init:unix_stream_socket connectto;
+
+allow hal_perf_default vendor_default_prop:property_service set;
+
 get_prop(hal_perf_default, sec_camera_prop)
diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
index 3fd57fa..b5cd898 100644
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -7,3 +7,6 @@ allow hal_power_default sysfs_batteryinfo:file rw_file_perms;
 
 allow hal_power_default sysfs_tsp:dir r_dir_perms;
 allow hal_power_default sysfs_tsp:file rw_file_perms;
+allow hal_power_default sysfs_tsp:lnk_file read;
+
+allow hal_power_default sysfs:file { open read write };
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
index ec70f01..3803fee 100644
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -1,6 +1,9 @@
 allow hal_sensors_default input_device:dir r_dir_perms;
 allow hal_sensors_default input_device:chr_file rw_file_perms;
 
+allow hal_sensors_default sysfs:dir { open read };
+allow hal_sensors_default sysfs:file { open getattr write };
+
 allow hal_sensors_default sysfs_sensors:dir r_dir_perms;
 allow hal_sensors_default sysfs_sensors:file rw_file_perms;
 
diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te
new file mode 100644
index 0000000..217dd31
--- /dev/null
+++ b/sepolicy/hal_wifi_default.te
@@ -0,0 +1 @@
+allow hal_wifi_default vendor_convergence_data_file:file { open read write };
diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te
new file mode 100644
index 0000000..79161ba
--- /dev/null
+++ b/sepolicy/hwservicemanager.te
@@ -0,0 +1 @@
+allow hwservicemanager init:binder call;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 70040a8..ad3e4b8 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -3,6 +3,29 @@ allow init omr_file:dir mounton;
 allow init vendor_firmware_file:file mounton;
 allow init dsp_file:dir mounton;
 
+allow init system_file:file execute_no_trans;
+allow init vendor_file:file execute_no_trans;
+
 allow init socket_device:sock_file create;
 
 allow init sysfs_graphics:file { open read write };
+
+allow init default_android_hwservice:hwservice_manager add;
+
+allow init diag_device:chr_file { open read write ioctl };
+
+allow init hal_light_hwservice:hwservice_manager { add find };
+
+allow init hidl_base_hwservice:hwservice_manager add;
+
+allow init hwservicemanager:binder { call transfer };
+
+allow init node:tcp_socket node_bind;
+
+allow init proc:file setattr;
+
+allow init self:netlink_socket { create read bind };
+allow init self:tcp_socket { bind create };
+
+allow init sysfs:dir create;
+allow init sysfs:file { open setattr write };
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index e043e16..0d3ee76 100644
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -3,3 +3,5 @@ allow kernel block_device:dir search;
 allow kernel debug_block_device:blk_file rw_file_perms;
 
 allow kernel { tmpfs system_block_device }:blk_file read;
+
+allow kernel sysfs:file { open read };
diff --git a/sepolicy/location.te b/sepolicy/location.te
new file mode 100644
index 0000000..0d468f8
--- /dev/null
+++ b/sepolicy/location.te
@@ -0,0 +1 @@
+allow location csc_prop:file { getattr open read };
diff --git a/sepolicy/macloader.te b/sepolicy/macloader.te
index 8720438..0ff066e 100644
--- a/sepolicy/macloader.te
+++ b/sepolicy/macloader.te
@@ -4,6 +4,7 @@ type macloader_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(macloader)
 
 allow macloader self:capability { chown fowner fsetid net_admin net_raw sys_module };
+allow macloader self:capability dac_override;
 
 allow macloader self:udp_socket { ioctl create };
 allowxperm macloader self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..e43cdcb
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1 @@
+allow mediaserver exported_camera_prop:file { open read getattr };
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 8f3242e..6a19323 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -6,6 +6,7 @@ allow mm-qcamerad camera_socket:sock_file { create unlink write };
 
 allow mm-qcamerad sysfs_camera_writable:dir search;
 allow mm-qcamerad sysfs_camera_writable:file { read write open getattr };
+allow mm-qcamerad sysfs_leds:dir search;
 
 allow mm-qcamerad sec_camera_prop:file { read open getattr };
 allow mm-qcamerad sec_camera_prop:property_service set;
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
new file mode 100644
index 0000000..6034540
--- /dev/null
+++ b/sepolicy/qmuxd.te
@@ -0,0 +1 @@
+allow qmuxd vendor_radio_prop:file { getattr open read };
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index 2df91cd..1734f10 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -2,4 +2,10 @@ allow qti_init_shell mnt_vendor_file:dir create_dir_perms;
 
 allow qti_init_shell sensors_persist_file:dir create_dir_perms;
 
+allow qti_init_shell persist_file:lnk_file read;
+
+allow qti_init_shell self:capability dac_override;
+
+allow qti_init_shell sysfs:file write;
+
 set_prop(qti_init_shell, ctl_default_prop)
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index c8190d4..7b6c213 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -5,4 +5,14 @@ allowxperm rild tun_device:chr_file ioctl { TUNSETIFF TUNSETPERSIST };
 
 allow rild proc_net:file write;
 
+allow rild app_efs_file:file { getattr open read };
+
+allow rild default_android_hwservice:hwservice_manager add;
+allow rild default_prop:property_service set;
+
+allow rild imei_efs_file:file { open read setattr getattr write };
+
+allow rild system_data_file:dir { write add_name };
+allow rild system_data_file:file { create open write };
+
 get_prop(rild, csc_prop)
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
new file mode 100644
index 0000000..9103344
--- /dev/null
+++ b/sepolicy/sensors.te
@@ -0,0 +1,2 @@
+allow sensors app_efs_file:dir { getattr open read search };
+allow sensors app_efs_file:file { getattr open read write };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..dec4141
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,4 @@
+allow system_server init:binder call;
+
+allow system_server userspace_reboot_config_prop:file { getattr open read };
+allow system_server userspace_reboot_exported_prop:file { getattr open read };
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
new file mode 100644
index 0000000..aad40eb
--- /dev/null
+++ b/sepolicy/thermal-engine.te
@@ -0,0 +1,4 @@
+allow thermal-engine self:capability dac_override;
+
+allow thermal-engine sysfs:dir { open read };
+allow thermal-engine sysfs:file { getattr open read };
diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te
new file mode 100644
index 0000000..22f33dc
--- /dev/null
+++ b/sepolicy/toolbox.te
@@ -0,0 +1 @@
+allow toolbox rootfs:dir { open read setattr };
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
index bcea5e3..fb87fab 100644
--- a/sepolicy/vendor_init.te
+++ b/sepolicy/vendor_init.te
@@ -5,6 +5,18 @@ allow vendor_init proc_hung_task:file rw_file_perms;
 allow vendor_init proc_sched:file rw_file_perms;
 allow vendor_init proc_swappiness:file rw_file_perms;
 allow vendor_init proc_sysrq:file rw_file_perms;
+allow vendor_init proc_dirty:file write;
+allow vendor_init proc_min_free_order_shift:file write;
+allow vendor_init proc_overcommit_memory:file write;
+allow vendor_init proc_panic:file write;
+
+allow vendor_init asec_apk_file:dir { getattr open read };
+allow vendor_init device:file { create write };
+allow vendor_init mnt_product_file:dir { getattr open read };
+allow vendor_init persist_file:lnk_file read;
+allow vendor_init self:capability sys_rawio;
+allow vendor_init system_data_file:dir { add_name create setattr write };
+allow vendor_init tombstone_data_file:dir getattr;
 
 set_prop(vendor_init, camera_prop)
 set_prop(vendor_init, config_prop)
diff --git a/sepolicy/vendor_per_mgr.te b/sepolicy/vendor_per_mgr.te
new file mode 100644
index 0000000..2ce01f4
--- /dev/null
+++ b/sepolicy/vendor_per_mgr.te
@@ -0,0 +1 @@
+allow vendor_per_mgr self:capability net_raw;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..b6e9c24
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,5 @@
+allow vold hal_bootctl_hwservice:hwservice_manager find;
+
+allow vold rootfs:dir setattr;
+
+allow vold sysfs_mmc_host:file write;