diff --git a/app.te b/app.te
index 9adb86a809ae6f5b533c73b8ca7ce33e0c6d3ab7..2589f660b904cfdac6fbeb4ce7c738480e2d1167 100644
--- a/app.te
+++ b/app.te
@@ -42,7 +42,7 @@ allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 allow appdomain appdomain:fifo_file rw_file_perms;
 
 # Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
@@ -69,7 +69,7 @@ allow appdomain anr_data_file:file { open append };
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
@@ -89,14 +89,11 @@ binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
@@ -112,6 +109,10 @@ allow appdomain download_file:file r_file_perms;
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow appdomain media_rw_data_file:file { read getattr };
 
+# Access SDcard.
+allow appdomain sdcard_type:dir create_dir_perms;
+allow appdomain sdcard_type:file create_file_perms;
+
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
diff --git a/bluetooth.te b/bluetooth.te
index c63dc02e19c109911a2a844d7d03fa1f6ccd6ca7..75b0c9759335cf91f753ce0004e8db693544e307 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -43,10 +43,6 @@ unix_socket_connect(bluetooth, property, init)
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 
-# bluetooth file transfers
-allow bluetooth sdcard_internal:dir create_dir_perms;
-allow bluetooth sdcard_internal:file create_file_perms;
-
 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;
 
diff --git a/isolated_app.te b/isolated_app.te
index 7e51d309c996dbba6e26e157dbe190025f655d90..4745d7e395f97259a4f6173da83ea5778a14ffaf 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,12 +12,3 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-allow isolated_app dalvikcache_data_file:file execute;
-allow isolated_app apk_data_file:dir getattr;
diff --git a/media_app.te b/media_app.te
index 65f38636b0e11c7297556a0325769f54d8eab1c2..099e0a6ff8def1101b19ccc69260a2c6137b8b66 100644
--- a/media_app.te
+++ b/media_app.te
@@ -10,20 +10,15 @@ binder_service(media_app)
 net_domain(media_app)
 # Access /dev/mtp_usb.
 allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir (in particular, file_contexts for restorecon).
-allow media_app rootfs:file r_file_perms;
+# Create download files.
 allow media_app download_file:dir rw_dir_perms;
 allow media_app download_file:file create_file_perms;
 # Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
 allow media_app platform_app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;
+
+# inherits from platformappdomain.te
diff --git a/nfc.te b/nfc.te
index 0522c52a99042afdb564d1f01187adc2a78fa13c..0968c3513d135f0596ae06357d79852bb024b28a 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,6 +13,3 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
-
-allow nfc sdcard_type:dir create_dir_perms;
-allow nfc sdcard_type:file create_file_perms;
diff --git a/platform_app.te b/platform_app.te
index bbbc0f7e6c2b56623573744e7a4820f05f73b7e1..ea49c00c2e6b3ad5b95d4295067e8441acb4d6b2 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -10,10 +10,7 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
+# Read from /data/local/tmp or /data/data/com.android.shell.
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
@@ -26,20 +23,5 @@ allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
 # Access download files.
 allow platform_app download_file:file rw_file_perms;
-# Allow BackupManagerService to backup all app domains
-allow platform_app appdomain:fifo_file write;
 
-#
-# Rules for all platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/platformappdomain.te b/platformappdomain.te
new file mode 100644
index 0000000000000000000000000000000000000000..701a63694699c1b1f29b8debe29a49500d68f942
--- /dev/null
+++ b/platformappdomain.te
@@ -0,0 +1,21 @@
+#
+# Rules for all platform app domains.
+# These rules are inherited by any domain that includes platform_app_domain().
+# Presently this consists of the four app domains corresponding to apps
+# signed by one of the four build keys: platform_app, shared_app, media_app,
+# release_app.  These app domains use platform_app_data_file rather
+# than app_data_file for their /data/data directories (as specified via
+# type= in seapp_contexts) and have greater permissions to specific
+# directories owned by groups that are restricted to apps with
+# Android permissions that are signature|system.
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;
+# Write to /cache.
+allow platformappdomain cache_file:dir create_dir_perms;
+allow platformappdomain cache_file:file create_file_perms;
diff --git a/release_app.te b/release_app.te
index 69cff196ddbd3a0a118021d04c330b9da1a9a712..4dc78e7383aa5218d028556097a8b417ce3090b0 100644
--- a/release_app.te
+++ b/release_app.te
@@ -11,6 +11,4 @@ net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
 
-# Write to /cache.
-allow release_app cache_file:dir rw_dir_perms;
-allow release_app cache_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/shared_app.te b/shared_app.te
index 22238824e599fa6843f0bedb9b3961109dcdaf2c..ef72735291236cd7e5086e504f4fbab58dcd4000 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -10,3 +10,5 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
+
+# inherits from platformappdomain.te
diff --git a/shelldomain.te b/shelldomain.te
index d4bb019e7051972c6051e2fdc2843bd55c1b48c3..e894d9dafc0619ffa9aa8f1a9dfb8532e1387295 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -5,10 +5,6 @@ allow shelldomain shell_data_file:dir create_dir_perms;
 allow shelldomain shell_data_file:file create_file_perms;
 allow shelldomain shell_data_file:file rx_file_perms;
 
-# Access sdcard.
-allow shelldomain sdcard_type:dir create_dir_perms;
-allow shelldomain sdcard_type:file create_file_perms;
-
 # adb bugreport
 unix_socket_connect(shelldomain, dumpstate, dumpstate)
 
@@ -29,13 +25,3 @@ allow shelldomain shell_prop:property_service set;
 allow shelldomain ctl_dumpstate_prop:property_service set;
 allow shelldomain debug_prop:property_service set;
 allow shelldomain powerctl_prop:property_service set;
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shelldomain, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shelldomain app_data_file:dir search;
-
-# ps and ps -Z output for app processes.
-r_dir_file(shelldomain, appdomain)
-allow shelldomain appdomain:process getattr;
diff --git a/system_app.te b/system_app.te
index dc02118833918b4e3778a78841adea6a36e3d44a..60398a2e88d774f1646062ed395d149ffd87e7cc 100644
--- a/system_app.te
+++ b/system_app.te
@@ -20,12 +20,6 @@ allow system_app wallpaper_file:file r_file_perms;
 # Write to dalvikcache.
 allow system_app dalvikcache_data_file:file { write setattr };
 
-# Read SELinux enforcing status.
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
diff --git a/untrusted_app.te b/untrusted_app.te
index 85cf79e515ca5c4f2aaa02eb65bec85bd720af60..e60bfff57acf828ef4f0c547c36d3d43307ec19d 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,14 +32,6 @@ allow untrusted_app app_data_file:file rx_file_perms;
 
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
-# Internal SDCard rw access.
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-
-# External SDCard rw access.
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-
 # ASEC
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;