diff --git a/mediaserver.te b/mediaserver.te
index 1b94d86d6..1a065b070 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -1,7 +1,57 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
+permissive mediaserver;
 type mediaserver_exec, exec_type, file_type;
 
+typeattribute mediaserver mlstrustedsubject;
+
 net_domain(mediaserver)
 init_daemon_domain(mediaserver)
-unconfined_domain(mediaserver)
+unix_socket_connect(mediaserver, property, init)
+
+r_dir_file(mediaserver, sdcard_type)
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver self:process execmem;
+allow mediaserver kernel:system module_request;
+allow mediaserver app_data_file:dir search;
+allow mediaserver app_data_file:file rw_file_perms;
+allow mediaserver platform_app_data_file:file { getattr read };
+allow mediaserver sdcard_type:file write;
+allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+allow mediaserver audio_device:dir r_dir_perms;
+allow mediaserver qemu_device:chr_file rw_file_perms;
+allow mediaserver tee_device:chr_file rw_file_perms;
+allow mediaserver audio_prop:property_service set;
+
+# Access audio devices at all.
+allow mediaserver audio_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow mediaserver sysfs:file rw_file_perms;
+
+# XXX Why?
+allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };
+
+# Access camera device.
+allow mediaserver camera_device:chr_file rw_file_perms;
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+# Camera calibration
+allow mediaserver camera_calibration_file:dir r_dir_perms;
+allow mediaserver camera_calibration_file:file r_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file rw_file_perms;
+allow mediaserver qtaguid_device:chr_file r_file_perms;
+
+# Allow abstract socket connection
+allow mediaserver rild:unix_stream_socket { connectto read write setopt };