diff --git a/surfaceflinger.te b/surfaceflinger.te
index aa63e6bffb16df9328b4d41af49690d27962bd82..f0c5d8efde118f9d5d063e1a0b82e6a633571309 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -1,9 +1,35 @@
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
+permissive surfaceflinger;
 type surfaceflinger_exec, exec_type, file_type;
 
 init_daemon_domain(surfaceflinger)
-unconfined_domain(surfaceflinger)
+typeattribute surfaceflinger mlstrustedsubject;
 
 # Talk to init over the property socket.
 unix_socket_connect(surfaceflinger, property, init)
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, system_server)
+binder_service(surfaceflinger)
+allow surfaceflinger init:binder transfer;
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket *;
+
+# Set properties.
+allow surfaceflinger system_prop:property_service set;
+allow surfaceflinger ctl_default_prop:property_service set;
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger platform_app_data_file:file { read write };
+allow surfaceflinger app_data_file:file { read write };