Promotion of sepolicy.lnx.2.0-00034.

CRs      Change ID                                   Subject
--------------------------------------------------------------------------------------------------------------
1057269   Iefa7474ec1ddcb0efe0689ff065629aa1d99c0b9   sepolicy: Adding permissions for camerasever.
1052935   I7713f18a10508ef297e2742969dc5f9064cf9b50   sepolicy: Restrict diag access available to domains
1064092   I5b2624082479d9f9c346aa6acc0cb2235f2f7a63   sepolicy: allow qseecomd to access qsee_ipc_irq_spss dev
1050321 1063858   I9ddd96bf9882fc73dc83b62af24b74670eb36792   Add policy for persist time folder
1063858   I1a7a379a7ac62bc994b24329e056580f9712cbfc   Add search rights to persist file for time_daemon
1056052   Ic2ff9b497d7a0b0dca91b72c328b3eb5cda17cce   netmgrd: Enable support for destroying TCP sockets throu
1025803   I5b84094fa4f429095c45c3536e6a193e98786eb2   sepolicy:Add oemfs ruler for carrier switch
1063804   Idcdddd06df9d959e78ee80a36c890c8560c41350   sepolicy: Allow mmi access boot mode prop
1064752   I5d65ffaf92617b3942820c0892a0700737c1a07b   sepolicy: Add DRM device node to sepolicy file_contexts
1063341   I7ac989f3f26b3d084454cef3e12a44eef083975c   sepolicy: allow spdaemon to access cryptoapp device node
1062722   I7ec47c2654b93e5b96ea93e4930cc3b227ca79d0   Sepolicy: allow ipacm to create netfilter socket
1038954   I41cc8a41b096c1b03f43472d1bce51638fa87976   sepolicy: Add adsrpc permission to camera server.

Change-Id: I76fb1c8ad1b9767638f2aa99cdff4de665d11f77
CRs-Fixed: 1025803, 1063341, 1052935, 1064752, 1063804, 1057269, 1056052, 1038954, 1063858, 1050321, 1064092, 1062722

54 files changed, 562 insertions, 7 deletions

diff --git a/common/audioserver.te b/common/audioserver.te
index 990e1a1c..a1b74afb 100644
--- a/common/audioserver.te
+++ b/common/audioserver.te
@@ -47,3 +47,6 @@ allow audioserver audio_data_file:dir remove_name;
 
 # Allow audioserver to access sysfs nodes
 allow audioserver sysfs:file rw_file_perms;
+userdebug_or_eng(`
+  diag_use(audioserver)
+')
diff --git a/common/cameraserver.te b/common/cameraserver.te
index 8a888601..a0777d79 100644
--- a/common/cameraserver.te
+++ b/common/cameraserver.te
@@ -52,3 +52,7 @@ allow cameraserver sensors_persist_file:dir r_dir_perms;
 allow cameraserver sensors_persist_file:file r_file_perms;
 allow cameraserver graphics_device:dir r_dir_perms;
 allow cameraserver sensorservice_service:service_manager find;
+allow cameraserver system_file:dir r_dir_perms;
+
+#Allows camera to call ADSP QDSP6 functionality
+allow cameraserver qdsp_device:chr_file r_file_perms;
diff --git a/common/cnd.te b/common/cnd.te
index 44cdb1eb..54be97a1 100644
--- a/common/cnd.te
+++ b/common/cnd.te
@@ -87,3 +87,8 @@ domain_auto_trans(cnd, hostapd_exec, hostapd)
 # only allow getopt for appdomain
 allow appdomain zygote:unix_dgram_socket getopt;
 dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt;
+
+#diag
+userdebug_or_eng(`
+    diag_use(cnd)
+')
diff --git a/common/dataservice_app.te b/common/dataservice_app.te
index db123df8..9c48a601 100644
--- a/common/dataservice_app.te
+++ b/common/dataservice_app.te
@@ -52,3 +52,7 @@ dontaudit dataservice_app domain:dir r_dir_perms;
 
 #allow dpmservice to get running time for apps
 r_dir_file(dataservice_app, appdomain)
+
+userdebug_or_eng(`
+  diag_use(dataservice_app)
+')
diff --git a/common/device.te b/common/device.te
index 22e046e4..f1997642 100644
--- a/common/device.te
+++ b/common/device.te
@@ -98,6 +98,12 @@ type sp_ssr_device, dev_type;
 # Define sp_keymaster device
 type sp_keymaster_device, dev_type;
 
+# Define cryptoapp device
+type cryptoapp_device, dev_type;
+
+# Define qsee_ipc_irq_spss device
+type qsee_ipc_irq_spss_device, dev_type;
+
 # Define QDSS devices
 type qdss_device, dev_type;
 
diff --git a/common/domain.te b/common/domain.te
index e831bb47..8a747e5c 100644
--- a/common/domain.te
+++ b/common/domain.te
@@ -1,5 +1,3 @@
-allow  { domain -untrusted_app } diag_device:chr_file rw_file_perms;
-
 r_dir_file(domain, sysfs_socinfo);
 r_dir_file(domain, sysfs_esoc);
 r_dir_file(domain, sysfs_ssr);
diff --git a/common/dpmd.te b/common/dpmd.te
index f94953ee..4b92e91b 100644
--- a/common/dpmd.te
+++ b/common/dpmd.te
@@ -71,3 +71,8 @@ dpmd_socket_perm(netd)
 
 #explicitly allow udp socket permissions for appdomain
 allow dpmd appdomain:udp_socket rw_socket_perms;
+
+#diag
+userdebug_or_eng(`
+    diag_use(dpmd)
+')
diff --git a/common/file.te b/common/file.te
index 47ec84f4..29d6a721 100644
--- a/common/file.te
+++ b/common/file.te
@@ -201,3 +201,5 @@ type dynamic_nv_data_file, file_type, data_file_type;
 type wififtmd_socket, file_type;
 
 type persist_alarm_file, file_type;
+
+type persist_time_file, file_type;
diff --git a/common/file_contexts b/common/file_contexts
index 88a179ec..d27f2981 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -20,6 +20,8 @@
 /dev/sp_kernel                                  u:object_r:skp_device:s0
 /dev/sp_ssr                                     u:object_r:sp_ssr_device:s0
 /dev/sp_keymaster                               u:object_r:sp_keymaster_device:s0
+/dev/cryptoapp                                  u:object_r:cryptoapp_device:s0
+/dev/qsee_ipc_irq_spss                          u:object_r:qsee_ipc_irq_spss_device:s0
 /dev/seemplog                                   u:object_r:seemplog_device:s0
 /dev/radio0                                     u:object_r:fm_radio_device:s0
 /dev/rtc0                                       u:object_r:rtc_device:s0
@@ -69,6 +71,9 @@
 /dev/qbt1000                                    u:object_r:qbt1000_device:s0
 /dev/at_.*                                      u:object_r:at_device:s0
 /dev/sg.*                                       u:object_r:sg_device:s0
+/dev/dri/card0                                  u:object_r:graphics_device:s0
+/dev/dri/controlD64                             u:object_r:graphics_device:s0
+/dev/dri/renderD128                             u:object_r:graphics_device:s0
 
 ###################################
 # Dev block nodes
diff --git a/common/ims.te b/common/ims.te
index 2f74bb7c..68a6a5ac 100644
--- a/common/ims.te
+++ b/common/ims.te
@@ -63,3 +63,8 @@ netmgr_socket(ims);
 
 # Inherit and use open files from radio.
 allow ims radio:fd use;
+
+#diag
+userdebug_or_eng(`
+    diag_use(ims)
+')
diff --git a/common/ipacm.te b/common/ipacm.te
index 087092f2..000bfa5e 100644
--- a/common/ipacm.te
+++ b/common/ipacm.te
@@ -12,8 +12,12 @@ net_domain(ipacm)
 userdebug_or_eng(`
   # Allow using the logging file between ipacm and ipacm-diag
   unix_socket_send(ipacm, ipacm, ipacm-diag)
+  diag_use(ipacm-diag)
 ')
 
+# Allow capabilities to create netfilter_socket
+allow ipacm self:netlink_netfilter_socket create_socket_perms;
+
 # Allow capabilities to perform network operations and interactions with network interfaces
 allow ipacm ipacm:capability net_admin;
 
diff --git a/common/location.te b/common/location.te
index 2dfec3ba..393bae60 100644
--- a/common/location.te
+++ b/common/location.te
@@ -59,3 +59,8 @@ netmgr_socket(location);
 
 #Allow access to properties
 set_prop(location, location_prop);
+
+#diag
+userdebug_or_eng(`
+    diag_use(location)
+')
diff --git a/common/location_app.te b/common/location_app.te
index 3fe928a7..799bc4d8 100644
--- a/common/location_app.te
+++ b/common/location_app.te
@@ -9,6 +9,7 @@ userdebug_or_eng(`
   net_domain(location_app)
   allow location_app { adbd su }:unix_stream_socket connectto;
   allow location_app mediaserver_service:service_manager find;
+  diag_use(location_app)
 ')
 
 allow location_app surfaceflinger_service:service_manager find;
diff --git a/common/mdtp.te b/common/mdtp.te
index 0d1e8511..c0f49e48 100644
--- a/common/mdtp.te
+++ b/common/mdtp.te
@@ -37,6 +37,7 @@ userdebug_or_eng(`
     #Needed for kill(pid, 0) existance test
     allow mdtpdaemon su:process signull;
     allow mdtpdaemon self:capability kill;
+    diag_use(mdtpdaemon)
 ')
 
 #Allow for transition from init domain to mdtpdaemon
diff --git a/common/mmi.te b/common/mmi.te
index 1a7dc286..05a00828 100755
--- a/common/mmi.te
+++ b/common/mmi.te
@@ -113,3 +113,10 @@ unix_socket_connect(mmi, cnd, cnd);
 unix_socket_connect(mmi, dpmwrapper, dpmd);
 unix_socket_connect(mmi, netmgrd, netmgrd);
 net_domain(mmi);
+
+#allow mmi access boot mode switch
+allow mmi boot_mode_prop:property_service set;
+#diag
+userdebug_or_eng(`
+    diag_use(mmi)
+')
diff --git a/common/netmgrd.te b/common/netmgrd.te
index 052b464e..ff913442 100644
--- a/common/netmgrd.te
+++ b/common/netmgrd.te
@@ -6,6 +6,7 @@ init_daemon_domain(netmgrd)
 userdebug_or_eng(`
   domain_auto_trans(shell, netmgrd_exec, netmgrd)
   domain_auto_trans(adbd, netmgrd_exec, netmgrd)
+  diag_use(netmgrd)
 ')
 
 #Allow files to be written during the operation of netmgrd
@@ -33,6 +34,7 @@ allow netmgrd netmgrd:socket { create ioctl };
 allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
 unix_socket_connect(netmgrd, property, init)
 allow netmgrd self:netlink_generic_socket create_socket_perms;
+allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write };
 
 unix_socket_connect(netmgrd, cnd, cnd);
 
diff --git a/common/port-bridge.te b/common/port-bridge.te
index 8a74d497..83c993cd 100644
--- a/common/port-bridge.te
+++ b/common/port-bridge.te
@@ -5,6 +5,7 @@ init_daemon_domain(port-bridge)
 userdebug_or_eng(`
   domain_auto_trans(shell, port-bridge_exec, netmgrd)
   domain_auto_trans(adbd, port-bridge_exec, netmgrd)
+  diag_use(port-bridge)
 ')
 
 # Allow operations on different types of sockets
diff --git a/common/property.te b/common/property.te
index 0ccfff9b..90a55cfd 100644..100755
--- a/common/property.te
+++ b/common/property.te
@@ -41,6 +41,7 @@ type ipacm-diag_prop, property_type;
 type sensors_prop, property_type;
 type msm_irqbalance_prop, property_type;
 type camera_prop, property_type, core_property_type;
+type spcomlib_prop, property_type;
 type sdm_idle_time_prop, property_type, core_property_type;
 type sf_lcd_density_prop, property_type, core_property_type;
 type opengles_prop, property_type, core_property_type;
@@ -90,3 +91,5 @@ type alarm_instance_prop, property_type, core_property_type;
 type hwui_prop, property_type, core_property_type;
 
 type graphics_vulkan_prop, property_type, core_property_type;
+#boot mode property
+type boot_mode_prop, property_type;
diff --git a/common/property_contexts b/common/property_contexts
index e50507a5..ea5bbda5 100644..100755
--- a/common/property_contexts
+++ b/common/property_contexts
@@ -48,6 +48,7 @@ ctl.sensors                u:object_r:sensors_prop:s0
 ctl.msm_irqbalance         u:object_r:msm_irqbalance_prop:s0
 camera.                    u:object_r:camera_prop:s0
 persist.camera.            u:object_r:camera_prop:s0
+spcomlib.                    u:object_r:spcomlib_prop:s0
 sdm.idle_time              u:object_r:sdm_idle_time_prop:s0
 ro.sf.lcd_density             u:object_r:sf_lcd_density_prop:s0
 ro.opengles.version           u:object_r:opengles_prop:s0
@@ -81,3 +82,5 @@ ro.alarm_instance          u:object_r:alarm_instance_prop:s0
 #HWUI Property
 ro.hwui.texture_cache_size u:object_r:hwui_prop:s0
 persist.graphics.vulkan.disable     u:object_r:graphics_vulkan_prop:s0
+#boot mode property
+sys.boot_mode              u:object_r:boot_mode_prop:s0
diff --git a/common/qcomsysd.te b/common/qcomsysd.te
index 9215305d..2dbd2cbc 100644
--- a/common/qcomsysd.te
+++ b/common/qcomsysd.te
@@ -21,3 +21,10 @@ allow qcomsysd sysfs_socinfo:file w_file_perms;
 
 allow qcomsysd self:capability { dac_override sys_boot };
 use_per_mgr(qcomsysd);
+#allow qcomsysd access boot mode switch
+allow qcomsysd boot_mode_prop:property_service set;
+
+#diag
+userdebug_or_eng(`
+    diag_use(qcomsysd)
+')
diff --git a/common/qfp-daemon.te b/common/qfp-daemon.te
index ccd60240..f7ddb32f 100644
--- a/common/qfp-daemon.te
+++ b/common/qfp-daemon.te
@@ -66,3 +66,8 @@ allow qfp-daemon sensors:unix_stream_socket connectto;
 # Allow listing input devices and sending input events
 allow qfp-daemon input_device:chr_file rw_file_perms;
 allow qfp-daemon input_device:dir r_dir_perms;
+
+#diag
+userdebug_or_eng(`
+    diag_use(qfp-daemon)
+')
diff --git a/common/qlogd.te b/common/qlogd.te
index ed51cddd..4740e58b 100644
--- a/common/qlogd.te
+++ b/common/qlogd.te
@@ -50,6 +50,7 @@ userdebug_or_eng(`
   allow qlogd sysfs:file w_file_perms;
   r_dir_file(qlogd, storage_file)
   r_dir_file(qlogd, mnt_user_file)
+  diag_use(qlogd)
 ')
 
 # need for capture adb logs
diff --git a/common/qseecomd.te b/common/qseecomd.te
index 6f21134b..a2118202 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -71,6 +71,9 @@ allow tee system_prop:property_service set;
 allow tee qfp-daemon_data_file:dir create_dir_perms;
 allow tee qfp-daemon_data_file:file create_file_perms;
 
+# Allow access to qsee_ipc_irq_spss device
+allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms;
+
 #allow access to fingerprintd data file
 allow tee fingerprintd_data_file:dir create_dir_perms;
 allow tee fingerprintd_data_file:file create_file_perms;
diff --git a/common/qti-logkit.te b/common/qti-logkit.te
index db03c406..b1f9d552 100644
--- a/common/qti-logkit.te
+++ b/common/qti-logkit.te
@@ -64,6 +64,7 @@ userdebug_or_eng(`
   # tcpdump
   allow qti_logkit self:packet_socket create_socket_perms;
   allow qti_logkit self:capability net_raw;
+  diag_use(qti_logkit)
 ')
 
 binder_use(qti_logkit)
diff --git a/common/qti.te b/common/qti.te
index 5b4827e4..921f083e 100644
--- a/common/qti.te
+++ b/common/qti.te
@@ -28,3 +28,8 @@ allow qti self:{
 } create_socket_perms;
 
 allow qti { shell_exec system_file }:file rx_file_perms;
+
+#diag
+userdebug_or_eng(`
+    diag_use(qti)
+')
diff --git a/common/radio.te b/common/radio.te
index 4010500c..fcec958d 100644
--- a/common/radio.te
+++ b/common/radio.te
@@ -15,3 +15,7 @@ allow radio uce_service:service_manager { add find };
 allow radio self:socket create_socket_perms;
 
 allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find;
+#diag
+userdebug_or_eng(`
+    diag_use(radio)
+')
diff --git a/common/rild.te b/common/rild.te
index 62668a21..6d1fe057 100644
--- a/common/rild.te
+++ b/common/rild.te
@@ -30,3 +30,8 @@ allow rild { mediaserver_service audioserver_service }:service_manager find;
 
 # Rule for RILD to talk to peripheral manager
 use_per_mgr(rild);
+
+#diag
+userdebug_or_eng(`
+    diag_use(rild)
+')
diff --git a/common/sensors.te b/common/sensors.te
index 9e3cbdb4..3039434b 100644
--- a/common/sensors.te
+++ b/common/sensors.te
@@ -58,6 +58,7 @@ allow sensors device_latency:chr_file w_file_perms;
 # Access to tests from userdebug/eng builds
 userdebug_or_eng(`
   domain_auto_trans(shell, sensors_exec, sensors)
+  diag_use(sensors)
 ')
 
 binder_use(sensors)
diff --git a/common/spdaemon.te b/common/spdaemon.te
index 1a2d6840..0a78b9c8 100644
--- a/common/spdaemon.te
+++ b/common/spdaemon.te
@@ -27,6 +27,7 @@
 
 # spdaemon service
 type spdaemon, domain;
+
 type spdaemon_exec, exec_type, file_type;
 
 init_daemon_domain(spdaemon)
@@ -43,6 +44,9 @@ allow spdaemon sp_ssr_device:chr_file rw_file_perms;
 # Allow access to sp_keymaster device
 allow spdaemon sp_keymaster_device:chr_file rw_file_perms;
 
+# Allow access to cryptoapp device
+allow spdaemon cryptoapp_device:chr_file rw_file_perms;
+
 # Allow access to ion device
 allow spdaemon ion_device:chr_file rw_file_perms;
 
@@ -56,5 +60,12 @@ allow spdaemon spss_data_file:file r_file_perms;
 # Allow check SPSS Apps images stat()
 allow spdaemon spss_data_file:file getattr;
 
-# Allow set system prop
-allow spdaemon system_prop:property_service set;
+# Allow get system info
+r_dir_file(spdaemon, sysfs)
+
+# Allow SPSS-PIL via Peripheral Manager
+binder_use(spdaemon)
+use_per_mgr(spdaemon)
+
+# Allow set/get prop to set/check if app is loaded
+set_prop(spdaemon, spcomlib_prop)
diff --git a/common/ssr_diag.te b/common/ssr_diag.te
index 956d0b01..f04ab537 100755
--- a/common/ssr_diag.te
+++ b/common/ssr_diag.te
@@ -4,4 +4,5 @@ init_daemon_domain(ssr_diag);
 
 userdebug_or_eng(`
   allow ssr_diag sysfs:file w_file_perms;
+  diag_use(ssr_diag)
 ')
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
index 9baa3a04..0a8ae6de 100644
--- a/common/surfaceflinger.te
+++ b/common/surfaceflinger.te
@@ -37,3 +37,7 @@ binder_call(surfaceflinger, mmi)
 
 #Allow access to cameraserver service
 allow surfaceflinger cameraserver_service:service_manager find;
+#diag
+userdebug_or_eng(`
+    diag_use(surfaceflinger)
+')
diff --git a/common/system_app.te b/common/system_app.te
index fdfa00b3..255e5664 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -63,6 +63,7 @@ userdebug_or_eng(`
   # Access to tombstone segfaults
   allow system_app tombstone_data_file:dir r_dir_perms;
   allow system_app tombstone_data_file:file r_file_perms;
+  diag_use(system_app)
 ')
 
 allow system_app cnd_data_file:dir w_dir_perms;
diff --git a/common/system_server.te b/common/system_server.te
index 2d6c41be..0081be89 100644
--- a/common/system_server.te
+++ b/common/system_server.te
@@ -157,3 +157,6 @@ allow system_server system_file:system module_load;
 
 allow system_server persist_alarm_file:dir rw_dir_perms;
 allow system_server persist_alarm_file:file { rw_file_perms create };
+userdebug_or_eng(`
+  diag_use(system_server)
+')
diff --git a/common/te_macros b/common/te_macros
index e232bb5a..4fd7b62b 100644
--- a/common/te_macros
+++ b/common/te_macros
@@ -53,3 +53,9 @@ allow dpmd $1:file r_file_perms;
 allow dpmd $1:fd use;
 allow dpmd $1:tcp_socket rw_socket_perms;
 ')
+#####################################
+# diag_use(clientdomain)
+# allow clientdomain to read/write to diag
+define(`diag_use', `
+allow $1 diag_device:chr_file rw_file_perms;
+')
diff --git a/common/thermal-engine.te b/common/thermal-engine.te
index ac9db22e..b347958f 100644
--- a/common/thermal-engine.te
+++ b/common/thermal-engine.te
@@ -48,3 +48,7 @@ unix_socket_connect(thermal-engine, mpctl, mpdecision)
 
 #This is to allow access to uio device
 allow thermal-engine uio_device:chr_file rw_file_perms;
+
+userdebug_or_eng(`
+  diag_use(thermal-engine)
+')
diff --git a/common/time_daemon.te b/common/time_daemon.te
index 5f64ec5f..20d9dbf5 100644
--- a/common/time_daemon.te
+++ b/common/time_daemon.te
@@ -16,4 +16,13 @@ allow time_daemon time_data_file:dir w_dir_perms;
 allow time_daemon self:socket create_socket_perms;
 allow time_daemon self:capability { setuid setgid sys_time };
 
+allow time_daemon persist_time_file:file create_file_perms;
+allow time_daemon persist_time_file:dir w_dir_perms;
+
+allow time_daemon persist_file:dir search;
+
 r_dir_file(time_daemon, sysfs_esoc);
+
+userdebug_or_eng(`
+  diag_use(time_daemon)
+')
diff --git a/common/wcnss_filter.te b/common/wcnss_filter.te
index 9e811456..7d84a76e 100644
--- a/common/wcnss_filter.te
+++ b/common/wcnss_filter.te
@@ -49,3 +49,8 @@ r_dir_file(wcnss_filter, bt_firmware_file)
 # Data file accesses.
 allow wcnss_filter bluetooth_data_file:dir create_dir_perms;
 allow wcnss_filter bluetooth_data_file:notdevfile_class_set create_file_perms;
+
+#diag
+userdebug_or_eng(`
+    diag_use(wcnss_filter)
+')
diff --git a/common/wcnss_service.te b/common/wcnss_service.te
index 0ceec433..05b31d40 100644
--- a/common/wcnss_service.te
+++ b/common/wcnss_service.te
@@ -48,7 +48,8 @@ allow wcnss_service dynamic_nv_data_file:dir r_dir_perms;
 # This is needed for ptt_socket app to write logs file collected to sdcard
 r_dir_file(wcnss_service, storage_file)
 r_dir_file(wcnss_service, mnt_user_file)
+diag_use(wcnss_service)
 ')
 
 binder_use(wcnss_service)
-use_per_mgr(wcnss_service)
\ No newline at end of file
+use_per_mgr(wcnss_service)
diff --git a/msm8937/idmap.te b/msm8937/idmap.te
new file mode 100644
index 00000000..84b11e8f
--- /dev/null
+++ b/msm8937/idmap.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow idmap oemfs:file r_file_perms;
+allow idmap oemfs:dir r_dir_perms;
diff --git a/msm8937/platform_app.te b/msm8937/platform_app.te
new file mode 100644
index 00000000..919f16f5
--- /dev/null
+++ b/msm8937/platform_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow platform_app oemfs:lnk_file { read getattr };
diff --git a/msm8937/priv_app.te b/msm8937/priv_app.te
new file mode 100644
index 00000000..203ed549
--- /dev/null
+++ b/msm8937/priv_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow priv_app oemfs:lnk_file { read getattr };
diff --git a/msm8937/system_app.te b/msm8937/system_app.te
new file mode 100644
index 00000000..10c8adac
--- /dev/null
+++ b/msm8937/system_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow system_app oemfs:lnk_file { read getattr };
diff --git a/msm8937/untrusted_app.te b/msm8937/untrusted_app.te
new file mode 100644
index 00000000..e8b029e1
--- /dev/null
+++ b/msm8937/untrusted_app.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# for oemfs
+allow untrusted_app oemfs:lnk_file { read getattr };
diff --git a/msm8953/idmap.te b/msm8953/idmap.te
new file mode 100644
index 00000000..84b11e8f
--- /dev/null
+++ b/msm8953/idmap.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow idmap oemfs:file r_file_perms;
+allow idmap oemfs:dir r_dir_perms;
diff --git a/msm8953/platform_app.te b/msm8953/platform_app.te
new file mode 100644
index 00000000..919f16f5
--- /dev/null
+++ b/msm8953/platform_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow platform_app oemfs:lnk_file { read getattr };
diff --git a/msm8953/priv_app.te b/msm8953/priv_app.te
new file mode 100644
index 00000000..203ed549
--- /dev/null
+++ b/msm8953/priv_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow priv_app oemfs:lnk_file { read getattr };
diff --git a/msm8953/system_app.te b/msm8953/system_app.te
new file mode 100644
index 00000000..10c8adac
--- /dev/null
+++ b/msm8953/system_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow system_app oemfs:lnk_file { read getattr };
diff --git a/msm8953/untrusted_app.te b/msm8953/untrusted_app.te
new file mode 100644
index 00000000..e8b029e1
--- /dev/null
+++ b/msm8953/untrusted_app.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# for oemfs
+allow untrusted_app oemfs:lnk_file { read getattr };
diff --git a/msmcobalt/idmap.te b/msmcobalt/idmap.te
new file mode 100644
index 00000000..84b11e8f
--- /dev/null
+++ b/msmcobalt/idmap.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow idmap oemfs:file r_file_perms;
+allow idmap oemfs:dir r_dir_perms;
diff --git a/msmcobalt/platform_app.te b/msmcobalt/platform_app.te
new file mode 100644
index 00000000..919f16f5
--- /dev/null
+++ b/msmcobalt/platform_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow platform_app oemfs:lnk_file { read getattr };
diff --git a/msmcobalt/priv_app.te b/msmcobalt/priv_app.te
new file mode 100644
index 00000000..203ed549
--- /dev/null
+++ b/msmcobalt/priv_app.te
@@ -0,0 +1,29 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#for oemfs
+allow priv_app oemfs:lnk_file { read getattr };
diff --git a/msmcobalt/system_app.te b/msmcobalt/system_app.te
index a5dac529..d11659b6 100644
--- a/msmcobalt/system_app.te
+++ b/msmcobalt/system_app.te
@@ -25,4 +25,6 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-binder_call(system_app, qvop)
\ No newline at end of file
+binder_call(system_app, qvop)
+#for oemfs
+allow system_app oemfs:lnk_file { read getattr };
diff --git a/msmcobalt/untrusted_app.te b/msmcobalt/untrusted_app.te
new file mode 100644
index 00000000..e8b029e1
--- /dev/null
+++ b/msmcobalt/untrusted_app.te
@@ -0,0 +1,30 @@
+# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# for oemfs
+allow untrusted_app oemfs:lnk_file { read getattr };
diff --git a/test/qti-testscripts.te b/test/qti-testscripts.te
index 380af29f..4d3eadfd 100644
--- a/test/qti-testscripts.te
+++ b/test/qti-testscripts.te
@@ -78,5 +78,5 @@ userdebug_or_eng(`
   binder_call({ domain -init -netd }, qti-testscripts)
   allow domain qti-testscripts:fifo_file { write getattr };
   allow domain qti-testscripts:process sigchld;
-
+  diag_use(radio)
 ')