diff --git a/dumpstate.te b/dumpstate.te
index 76887af61a81bd5eba1ec5a0ed6ef814869b4c35..318755528e663ff839d78d85c07c5067f033cdd4 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -87,6 +87,9 @@ domain_auto_trans(dumpstate, vdc_exec, vdc)
 # TODO: create a new file class, instead of allowing write access to all of /sys
 allow dumpstate sysfs:file w_file_perms;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow dumpstate sysfs_usb:file w_file_perms;
+
 # Other random bits of data we want to collect
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;
@@ -145,14 +148,6 @@ allow dumpstate cache_recovery_file:file r_file_perms;
 allow dumpstate recovery_data_file:dir r_dir_perms;
 allow dumpstate recovery_data_file:file r_file_perms;
 
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
-  allow dumpstate user_profile_data_file:dir r_dir_perms;
-  allow dumpstate user_profile_data_file:file r_file_perms;
-  allow dumpstate user_profile_foreign_dex_data_file:dir r_dir_perms;
-  allow dumpstate user_profile_foreign_dex_data_file:file r_file_perms;
-')
-
 # Access /data/misc/logd
 userdebug_or_eng(`
   allow dumpstate misc_logd_file:dir r_dir_perms;
diff --git a/healthd.te b/healthd.te
index f54d716a9b0ca34452b820657b19a0160fee9cee..2658ef84c2ae3e3a0447628469b1bcec847959c7 100644
--- a/healthd.te
+++ b/healthd.te
@@ -19,6 +19,9 @@ binder_call(healthd, system_server)
 # TODO:  Split into a separate type?
 allow healthd sysfs:file write;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow healthd sysfs_usb:file write;
+
 allow healthd sysfs_batteryinfo:file r_file_perms;
 
 ###
diff --git a/installd.te b/installd.te
index f7f7409e25f699224e8582b94f6ce42a8ad27a2a..e832e9238bf4a5539bf747ae91d9c443d5e83cb4 100644
--- a/installd.te
+++ b/installd.te
@@ -117,6 +117,9 @@ allow installd user_profile_data_file:dir create_dir_perms;
 allow installd user_profile_data_file:file create_file_perms;
 allow installd user_profile_data_file:dir rmdir;
 allow installd user_profile_data_file:file unlink;
+allow installd user_profile_foreign_dex_data_file:dir { add_name getattr rmdir open read write search remove_name };
+allow installd user_profile_foreign_dex_data_file:file { getattr rename unlink };
+
 # Files created/updated by profman dumps.
 allow installd profman_dump_data_file:dir { search add_name write };
 allow installd profman_dump_data_file:file { create setattr open write };
diff --git a/lmkd.te b/lmkd.te
index 7920aee28f411228009056032b741abf270d2002..570cbcab268c66610e86e69c178c2a2f1ac39d55 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -22,6 +22,7 @@ r_dir_file(lmkd, system_server)
 allow lmkd system_server:file write;
 
 ## Writes to /sys/module/lowmemorykiller/parameters/minfree
+r_dir_file(lmkd, sysfs_type)
 allow lmkd sysfs_lowmemorykiller:file w_file_perms;
 
 # Send kill signals
diff --git a/netd.te b/netd.te
index 0d9c047a4c17c168df36b564803012c76fd1e765..9b44e4bdfe192d19b871dc050b013d74947479f9 100644
--- a/netd.te
+++ b/netd.te
@@ -32,6 +32,9 @@ allow netd proc_net:file write;
 # XXX Split into its own type.
 allow netd sysfs:file write;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
 # Needed to update /data/misc/wifi/hostapd.conf
 # TODO: See what we can do to reduce the need for
 # these capabilities
diff --git a/nfc.te b/nfc.te
index 2ca43dddfd292be7fb56445c1b5cdc5a2d907b97..5b7f4b9f08dfb7c589967626fb0e5e341f28c6d0 100644
--- a/nfc.te
+++ b/nfc.te
@@ -17,6 +17,9 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow nfc sysfs_usb:file write;
+
 # SoundPool loading and playback
 allow nfc mediaserver_service:service_manager find;
 allow nfc audioserver_service:service_manager find;
diff --git a/radio.te b/radio.te
index c4df1f7d11dbb960d9ad6b626c719b9bee68736d..591c3bc0311bbc4956cd84e38175b045e94da3d3 100644
--- a/radio.te
+++ b/radio.te
@@ -31,6 +31,7 @@ allow radio audioserver_service:service_manager find;
 allow radio cameraserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
 allow radio radio_service:service_manager { add find };
 allow radio surfaceflinger_service:service_manager find;
 allow radio app_api_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index 946657bb1c1cc5ea9f684f3a7a7861b31d395ee2..77e1436b195fcde743e85300c091c1d1cce59d40 100644
--- a/system_server.te
+++ b/system_server.te
@@ -186,6 +186,9 @@ allow system_server sysfs_mac_address:file r_file_perms;
 allow system_server sysfs_thermal:dir search;
 allow system_server sysfs_thermal:file r_file_perms;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
 # Access devices.
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
diff --git a/ueventd.te b/ueventd.te
index ec7e9a1acfcad36978e0cbd4a8010710fd9aedff..569585dbbc06de58d339be44429efe778ecae23e 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -12,6 +12,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
 allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_usb:file w_file_perms;
 allow ueventd sysfs_hwrandom:file w_file_perms;
 allow ueventd sysfs_zram_uevent:file w_file_perms;
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
diff --git a/vold.te b/vold.te
index 75b6f36660954f759629a1a5fcbd91c7872b1b15..81ed18b55b71e52e3b2de796d51a5e67a0d3bfe2 100644
--- a/vold.te
+++ b/vold.te
@@ -90,6 +90,9 @@ allow vold self:capability { sys_ptrace kill };
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
+# TODO: added to match above sysfs rule. Remove me?
+allow vold sysfs_usb:file w_file_perms;
+
 allow vold kmsg_device:chr_file rw_file_perms;
 
 # Run fsck in the fsck domain.