diff --git a/rootdir/etc/fstab.qcom b/rootdir/etc/fstab.qcom
index 32f6327..efdaf34 100644
--- a/rootdir/etc/fstab.qcom
+++ b/rootdir/etc/fstab.qcom
@@ -9,10 +9,10 @@
 # /dev/block/bootdevice/by-name/system         /system      ext4    ro,barrier=1,discard                                                               wait
 /dev/block/bootdevice/by-name/userdata       /data        f2fs    rw,discard,nosuid,nodev,noatime,nodiratime,nobarrier,inline_xattr,inline_data      wait,check,formattable,encryptable=/dev/block/bootdevice/by-name/metadata
 /dev/block/bootdevice/by-name/cache          /cache       ext4    rw,noatime,nosuid,nodev,barrier=1,data=ordered                                     wait,check,formattable
-/dev/block/bootdevice/by-name/modem          /firmware    ext4    ro,nosuid,nodev,barrier=0                      wait
-/dev/block/bootdevice/by-name/fsg            /fsg         ext4    ro,nosuid,nodev                                     wait
+/dev/block/bootdevice/by-name/modem          /firmware    ext4    ro,nosuid,nodev,barrier=0,context=u:object_r:firmware_file:s0                      wait
+/dev/block/bootdevice/by-name/fsg            /fsg         ext4    ro,nosuid,nodev,context=u:object_r:fsg_file:s0                                     wait
 /dev/block/bootdevice/by-name/dsp            /dsp         ext4    ro,nosuid,nodev,barrier=1                                                          wait
-/dev/block/bootdevice/by-name/persist        /persist     ext4    nosuid,nodev,barrier=1,noatime,noauto_da_alloc  wait
+/dev/block/bootdevice/by-name/persist        /persist     ext4    nosuid,nodev,barrier=1,noatime,noauto_da_alloc,context=u:object_r:persist_file:s0  wait
 /dev/block/bootdevice/by-name/boot           /boot        emmc    defaults                                                                           recoveryonly
 /dev/block/bootdevice/by-name/recovery       /recovery    emmc    defaults                                                                           recoveryonly
 /dev/block/bootdevice/by-name/misc           /misc        emmc    defaults                                                                           defaults
diff --git a/sepolicy/vendor/adspd.te b/sepolicy/vendor/adspd.te
deleted file mode 100644
index bea519c..0000000
--- a/sepolicy/vendor/adspd.te
+++ /dev/null
@@ -1,19 +0,0 @@
-type adspd, domain;
-type adspd_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(adspd)
-
-binder_use(adspd)
-binder_service(adspd)
-binder_call(adspd, system_server)
-
-allow adspd vendor_shell_exec:file entrypoint;
-
-allow adspd audio_device:chr_file { ioctl open read write };
-allow adspd audio_device:dir search;
-allow adspd input_device:chr_file { ioctl open read };
-allow adspd input_device:dir search;
-allow adspd sysfs_adsp:file write;
-# The below one is WRONG
-allow adspd sysfs:file write;
-
-set_prop(adspd, adspd_prop)
diff --git a/sepolicy/vendor/charge_only.te b/sepolicy/vendor/charge_only.te
index 71d84c4..3d2f517 100644
--- a/sepolicy/vendor/charge_only.te
+++ b/sepolicy/vendor/charge_only.te
@@ -1,17 +1,46 @@
 type charge_only, domain;
-type charge_only_exec, exec_type, file_type;
+type charge_only_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(charge_only)
 
 allow charge_only chargeonly_data_file:dir rw_dir_perms;
 allow charge_only chargeonly_data_file:file rw_file_perms;
-allow charge_only graphics_device:chr_file rw_file_perms;
-allow charge_only graphics_device:dir search;
-allow charge_only input_device:chr_file r_file_perms;
-allow charge_only input_device:dir search;
+
+# Write to /dev/kmsg
+allow charge_only kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charge_only, sysfs_type)
+r_dir_file(charge_only, rootfs)
+r_dir_file(charge_only, cgroup)
+
 allow charge_only self:capability { dac_override net_admin sys_tty_config sys_boot };
-allow charge_only self:netlink_kobject_uevent_socket { bind read setopt create };
+allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+wakelock_use(charge_only)
+
+# Write to /sys/power/state
+# TODO:  Split into a separate type?
 allow charge_only sysfs:dir { read open };
 allow charge_only sysfs:file { read open write };
+
 allow charge_only sysfs_wake_lock:file rw_file_perms;
 allow charge_only system_data_file:dir { write add_name };
+
+allow charge_only sysfs_batteryinfo:file r_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charge_only pstorefs:dir r_dir_perms;
+allow charge_only pstorefs:file r_file_perms;
+
+allow charge_only graphics_device:dir r_dir_perms;
+allow charge_only graphics_device:chr_file rw_file_perms;
+allow charge_only input_device:dir r_dir_perms;
+allow charge_only input_device:chr_file r_file_perms;
 allow charge_only tty_device:chr_file rw_file_perms;
+allow charge_only proc_sysrq:file rw_file_perms;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charge_only, system_prop)
diff --git a/sepolicy/vendor/cnd.te b/sepolicy/vendor/cnd.te
index bbed452..35913b1 100644
--- a/sepolicy/vendor/cnd.te
+++ b/sepolicy/vendor/cnd.te
@@ -1,2 +1,2 @@
-allow cnd system_wpa_socket:sock_file { unlink };
+# allow cnd system_wpa_socket:sock_file { unlink };
 allow cnd diag_device:chr_file { read write };
diff --git a/sepolicy/vendor/esepmdaemon.te b/sepolicy/vendor/esepmdaemon.te
index fdef3c0..b037623 100644
--- a/sepolicy/vendor/esepmdaemon.te
+++ b/sepolicy/vendor/esepmdaemon.te
@@ -1,2 +1,2 @@
-binder_call(esepmdaemon, servicemanager);
+# binder_call(esepmdaemon, servicemanager);
 
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 68698b6..bd03905 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -41,12 +41,12 @@ type sysfs_batt, fs_type, sysfs_type;
 type sysfs_cnss, fs_type, sysfs_type;
 type sysfs_fpc, fs_type, sysfs_type;
 
-type fpc_socket, file_type;
+type fpc_socket, file_type, data_file_type;
 type fpc_data_file, file_type;
 
 type sysfs_wcnsscore, fs_type, sysfs_type;
 
-type nv_data_file, file_type;
+type nv_data_file, file_type, data_file_type;
 type sysfs_rmt_storage, fs_type, sysfs_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;
 type debugfs_wlan, debugfs_type, fs_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index d9bc0b0..4659ccc 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -6,11 +6,10 @@
 /dev/hidraw[0-9]*                                        u:object_r:amps_raw_device:s0
 
 # Binaries
-/system/vendor/bin/adspd                                        u:object_r:adspd_exec:s0
-/system/bin/charge_only_mode                             u:object_r:charge_only_exec:s0
-/system/vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
-/system/vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
-/system/vendor/bin/init\.qti\.fm\.sh		u:object_r:qti_init_shell_exec:s0
+/vendor/bin/charge_only_mode                             u:object_r:charge_only_exec:s0
+/vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
+/vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
+/vendor/bin/init\.qti\.fm\.sh		u:object_r:qti_init_shell_exec:s0
 
 # CMActions
 /sys/homebutton(/.*)?                                    u:object_r:sysfs_homebutton:s0
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
index 379b4b1..a6d5bef 100644
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -9,6 +9,6 @@ allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
 allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_leds:file r_file_perms;
-allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
+# allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
 allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
 allow hal_fingerprint_default fpc_socket:sock_file unlink;
diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te
index f7f46dc..78f43b3 100644
--- a/sepolicy/vendor/hal_gnss_qti.te
+++ b/sepolicy/vendor/hal_gnss_qti.te
@@ -1,6 +1,6 @@
-binder_call(hal_gnss_qti, servicemanager);
+# binder_call(hal_gnss_qti, servicemanager);
 get_prop(hal_gnss_qti, diag_prop);
-allow hal_gnss_qti per_mgr_service_old:service_manager find;
+# allow hal_gnss_qti per_mgr_service_old:service_manager find;
 allow hal_gnss_qti debug_prop:file read;
 allow hal_gnss_qti property_socket:sock_file write;
 
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
index fba3de5..73d6fe8 100644
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -1,5 +1,5 @@
 binder_call(hal_sensors_default, hwservicemanager)
-binder_call(hal_sensors_default, servicemanager)
+# binder_call(hal_sensors_default, servicemanager)
 
 binder_call(hal_sensors_default, mm-qcamerad)
 binder_call(hal_sensors_default, system_server)
diff --git a/sepolicy/vendor/init_wifi.te b/sepolicy/vendor/init_wifi.te
index 794acb9..3afa404 100644
--- a/sepolicy/vendor/init_wifi.te
+++ b/sepolicy/vendor/init_wifi.te
@@ -1,4 +1,4 @@
-type init_wifi, domain;
+type init_wifi, domain, binder_in_vendor_violators;
 type init_wifi_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(init_wifi)
 
diff --git a/sepolicy/vendor/mm-qcamerad.te b/sepolicy/vendor/mm-qcamerad.te
index a2ff65e..b717642 100644
--- a/sepolicy/vendor/mm-qcamerad.te
+++ b/sepolicy/vendor/mm-qcamerad.te
@@ -1,26 +1,25 @@
-binder_call(mm-qcamerad, servicemanager);
-binder_use(mm-qcamerad);
-binder_call(mm-qcamerad, binderservicedomain);
-binder_call(mm-qcamerad, appdomain);
-binder_call(mm-qcamerad, hal_sensors_default);
+# binder_call(mm-qcamerad, servicemanager);
+# binder_use(mm-qcamerad);
+# binder_call(mm-qcamerad, binderservicedomain);
+# binder_call(mm-qcamerad, appdomain);
+# binder_call(mm-qcamerad, hal_sensors_default);
 set_prop(mm-qcamerad, camera_prop);
 
 allow servicemanager mm-qcamerad:dir { search };
 allow servicemanager mm-qcamerad:file { read open };
 allow servicemanager mm-qcamerad:process { getattr };
 
-allow mm-qcamerad camera_data_file:sock_file { create unlink write };
-allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
-allow mm-qcamerad sensorservice_service:service_manager find;
+# allow mm-qcamerad camera_data_file:sock_file { create unlink write };
+# allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
+#allow mm-qcamerad sensorservice_service:service_manager find;
 allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
-allow mm-qcamerad permission_service:service_manager find;
+# allow mm-qcamerad permission_service:service_manager find;
 allow mm-qcamerad debug_prop:property_service set;
 allow mm-qcamerad persist_file:dir search;
 allow mm-qcamerad persist_file:file { read getattr open };
 allow mm-qcamerad system_data_file:dir read;
 
 allow mm-qcamerad init:unix_stream_socket { read write };
-allow mm-qcamerad sysfs_graphics:file { open read };
 
 allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
 
diff --git a/sepolicy/vendor/mmi_boot.te b/sepolicy/vendor/mmi_boot.te
index 420fdca..7cd25c3 100644
--- a/sepolicy/vendor/mmi_boot.te
+++ b/sepolicy/vendor/mmi_boot.te
@@ -1,4 +1,4 @@
-type mmi_boot, domain;
+type mmi_boot, domain, binder_in_vendor_violators;
 type mmi_boot_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(mmi_boot)
 
diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te
index 4e60a20..621f192 100644
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -4,5 +4,5 @@ allow netmgrd netmgr_data_file:file rw_file_perms;
 allow netmgrd self:capability dac_override;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netd_socket:sock_file write;
-allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
+# allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
 r_dir_file(netmgrd, net_data_file)
diff --git a/sepolicy/vendor/peripheral_manager.te b/sepolicy/vendor/peripheral_manager.te
index 26360a6..c95106c 100644
--- a/sepolicy/vendor/peripheral_manager.te
+++ b/sepolicy/vendor/peripheral_manager.te
@@ -1,5 +1,5 @@
-binder_call(per_mgr, servicemanager);
+# binder_call(per_mgr, servicemanager);
 allow per_mgr self:capability net_raw;
-allow per_mgr per_mgr_service_old:service_manager { add find };
-allow per_mgr servicemanager:binder { call transfer };
+# allow per_mgr per_mgr_service_old:service_manager { add find };
+# allow per_mgr servicemanager:binder { call transfer };
 
diff --git a/sepolicy/vendor/qseeproxy.te b/sepolicy/vendor/qseeproxy.te
index f05bfd5..1352f7e 100644
--- a/sepolicy/vendor/qseeproxy.te
+++ b/sepolicy/vendor/qseeproxy.te
@@ -1,3 +1,3 @@
-binder_call(qseeproxy, servicemanager);
+# binder_call(qseeproxy, servicemanager);
 allow qseeproxy self:process getattr;
-allow qseeproxy qseeproxy_service_old:service_manager { add find };
+# allow qseeproxy qseeproxy_service_old:service_manager { add find };
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index 1c5656d..5fba559 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -1,7 +1,7 @@
-binder_call(rild, servicemanager);
+# binder_call(rild, servicemanager);
 binder_call(rild, audioserver_service);
 binder_call(rild, system_server);
-allow rild per_mgr_service_old:service_manager find;
+# allow rild per_mgr_service_old:service_manager find;
 set_prop(rild, diag_prop);
 allow rild nv_data_file:dir rw_dir_perms;
 allow rild nv_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
index 2cbe8bf..9abdfd8 100644
--- a/sepolicy/vendor/surfaceflinger.te
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -1,7 +1,7 @@
 get_prop(surfaceflinger, diag_prop);
 allow surfaceflinger perfd_data_file:sock_file write;
 allow surfaceflinger perfd_data_file:dir search;
-allow surfaceflinger perfd:unix_stream_socket connectto;
+# allow surfaceflinger perfd:unix_stream_socket connectto;
 allow surfaceflinger diag_device:chr_file { read write };
 
 binder_call(surfaceflinger, hwservicemanager)
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index c65c1b1..3d87c89 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -6,7 +6,7 @@ allow system_app sysfs_graphics:dir search;
 allow system_app proc_touchpanel:file rw_file_perms;
 allow system_app sysfs_fpc:file rw_file_perms;
 allow system_app fuse_device:filesystem getattr;
-allow system_app time_daemon:unix_stream_socket connectto;
+# allow system_app time_daemon:unix_stream_socket connectto;
 
 allow system_app init:unix_stream_socket { read write };
 allow system_app sysfs_homebutton:file write;
diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te
index 5cb0d81..b24b60b 100644
--- a/sepolicy/vendor/wcnss_service.te
+++ b/sepolicy/vendor/wcnss_service.te
@@ -1,8 +1,8 @@
-binder_call(wcnss_service, servicemanager);
+# binder_call(wcnss_service, servicemanager);
 set_prop(wcnss_service, wifi_prop);
 get_prop(wcnss_service, diag_prop);
-allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
-allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
+# allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
+# allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
 allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
 
-allow wcnss_service per_mgr_service_old:service_manager find;
+# allow wcnss_service per_mgr_service_old:service_manager find;