diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 703ff8c..1e976a6 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -50,7 +50,6 @@ TARGET_NO_BOOTLOADER := true
 # Kernel
 BOARD_KERNEL_BASE := 0x80000000
 BOARD_KERNEL_CMDLINE := console=null androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 BOARD_KERNEL_IMAGE_NAME := Image.gz
 BOARD_KERNEL_PAGESIZE := 2048
 BOARD_KERNEL_SEPARATED_DT := true
diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc
index 861cb80..a13b746 100644
--- a/rootdir/etc/init.qcom.rc
+++ b/rootdir/etc/init.qcom.rc
@@ -1534,6 +1534,7 @@ service hci_filter_root /system/bin/wcnss_filter
 service config_bluetooth /system/bin/sh /system/etc/init.qcom.bt.sh "onboot"
     class core
     user root
+    seclabel u:r:bluetooth_loader:s0
     oneshot
 
 service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh
@@ -1541,6 +1542,7 @@ service hciattach /system/bin/sh /system/etc/init.qcom.bt.sh
     user bluetooth
     group bluetooth net_bt_admin
     disabled
+    seclabel u:r:bluetooth_loader:s0
     oneshot
 
 on property:bluetooth.hciattach=true
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..c2b4d2b
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1 @@
+type efs_block_device, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..ab8fbcc
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
+type app_efs_file, file_type;
+type sysfs_mdnie, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 3e2dec8..f742d51 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1 +1,17 @@
-/system/bin/timekeep                     u:object_r:timekeep_exec:s0
+# Cache
+/dev/block/bootdevice/by-name/cache          u:object_r:cache_block_device:s0
+
+# EFS
+/dev/block/bootdevice/by-name/efs            u:object_r:efs_block_device:s0
+/efs/bluetooth(/.*)?                         u:object_r:bluetooth_efs_file:s0
+/efs/FactoryApp(/.*)?                        u:object_r:app_efs_file:s0
+
+# FRP
+/dev/block/bootdevice/by-name/persistent     u:object_r:frp_block_device:s0
+
+# mDNIe
+/sys/devices/virtual/mdnie/mdnie/mode        u:object_r:sysfs_mdnie:s0
+/sys/devices/virtual/mdnie/mdnie/scenario    u:object_r:sysfs_mdnie:s0
+
+# TimeKeep
+/system/bin/timekeep                         u:object_r:timekeep_exec:s0
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
new file mode 100644
index 0000000..5d000b7
--- /dev/null
+++ b/sepolicy/fsck.te
@@ -0,0 +1 @@
+allow fsck efs_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..a216fe8
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,2 @@
+r_dir_file(netd, efs_file)
+r_dir_file(netd, firmware_file)
diff --git a/sepolicy/perm_mgr.te b/sepolicy/perm_mgr.te
new file mode 100644
index 0000000..6d75682
--- /dev/null
+++ b/sepolicy/perm_mgr.te
@@ -0,0 +1 @@
+allow per_mgr self:capability net_raw;
diff --git a/sepolicy/property.te b/sepolicy/property.te
index 59ec853..8a2fb3c 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -1 +1,2 @@
 type timekeep_prop, property_type;
+type rmt_storage_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index ad0a920..62283e5 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1 +1,3 @@
-persist.sys.timeadjust     u:object_r:timekeep_prop:s0
+persist.sys.timeadjust         u:object_r:timekeep_prop:s0
+service.camera.hdmi_preview    u:object_r:camera_prop:s0
+storage.efs_sync.done          u:object_r:rmt_storage_prop:s0
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
new file mode 100644
index 0000000..ba1a620
--- /dev/null
+++ b/sepolicy/rmt_storage.te
@@ -0,0 +1 @@
+set_prop(rmt_storage, rmt_storage_prop)
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index ce0969c..78c9941 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,3 +1,5 @@
+allow system_app sysfs_mdnie:file rw_file_perms;
+
 allow system_app time_data_file:file rw_file_perms;
 
 set_prop(system_app, timekeep_prop)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..69caf4b
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,3 @@
+allow system_server sysfs_mdnie:file rw_file_perms;
+
+r_dir_file(system_server, app_efs_file)
diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te
new file mode 100644
index 0000000..46c74a3
--- /dev/null
+++ b/sepolicy/wcnss_service.te
@@ -0,0 +1 @@
+allow wcnss_service self:capability { setgid setuid };