diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te
index e087099..2e2036d 100644
--- a/sepolicy/common/file.te
+++ b/sepolicy/common/file.te
@@ -1,7 +1,8 @@
 type proc_bt_sleep, fs_type;
 
-type sysfs_mdnie, fs_type, sysfs_type;
+type sysfs_camera, fs_type, sysfs_type;
 type sysfs_hal_pwr, fs_type, sysfs_type;
+type sysfs_mdnie, fs_type, sysfs_type;
 type sysfs_sec, fs_type, sysfs_type;
 type sysfs_wifi_writeable, fs_type, sysfs_type;
 
diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts
index 34407f5..a57714d 100644
--- a/sepolicy/common/file_contexts
+++ b/sepolicy/common/file_contexts
@@ -34,6 +34,7 @@
 /sys/module/dhd/parameters/firmware_path                         u:object_r:sysfs_wifi_writeable:s0
 /sys/module/dhd/parameters/nvram_path                            u:object_r:sysfs_wifi_writeable:s0
 /sys/devices/platform/bcm[0-9]+_bluetooth/rfkill/rfkill0/state   u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/virtual/camera(/.*)?                                u:object_r:sysfs_camera:s0
 /sys/devices/virtual/sec/sec_key/hall_irq_ctrl                   u:object_r:sysfs_sec:s0
 
 # mdnie sysfs
diff --git a/sepolicy/common/mediaserver.te b/sepolicy/common/mediaserver.te
index a14d0b3..7990af5 100644
--- a/sepolicy/common/mediaserver.te
+++ b/sepolicy/common/mediaserver.te
@@ -1,4 +1,7 @@
 allow mediaserver camera_socket:sock_file write;
+allow mediaserver hal_camera_hwservice:hwservice_manager find;
 allow mediaserver mm-qcamerad:unix_dgram_socket sendto;
+allow mediaserver sysfs_camera:dir search;
+allow mediaserver sysfs_camera:file r_file_perms;
 allow mediaserver thermal-engine:unix_stream_socket connectto;
 allow mediaserver vendor_file:file execmod;
diff --git a/sepolicy/common/mm-qcamerad.te b/sepolicy/common/mm-qcamerad.te
index 4cd95cc..0f6b148 100644
--- a/sepolicy/common/mm-qcamerad.te
+++ b/sepolicy/common/mm-qcamerad.te
@@ -5,4 +5,6 @@ type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket
 # Allow mm-qcamera-daemon to create the socket camera_socket
 allow mm-qcamerad system_data_file:dir w_dir_perms;
 
+allow mm-qcamerad sysfs_camera:dir search;
+allow mm-qcamerad sysfs_camera:file rw_file_perms;
 allow mm-qcamerad vendor_file:file execmod;
diff --git a/sepolicy/common/thermal-engine.te b/sepolicy/common/thermal-engine.te
index a68d2b0..eadef86 100644
--- a/sepolicy/common/thermal-engine.te
+++ b/sepolicy/common/thermal-engine.te
@@ -1,3 +1,5 @@
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-send-client";
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-client";
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";
+
+allow thermal-engine self:capability chown;
diff --git a/sepolicy/common/vold.te b/sepolicy/common/vold.te
index 5ce680c..15b17ce 100644
--- a/sepolicy/common/vold.te
+++ b/sepolicy/common/vold.te
@@ -1,2 +1,6 @@
+allow vold block_device:blk_file getattr;
+allow vold cache_block_device:blk_file getattr;
+allow vold efs_block_device:blk_file getattr;
 allow vold efs_file:dir rw_dir_perms;
 allow vold efs_file:file create;
+allow vold system_block_device:blk_file getattr;