diff --git a/init.te b/init.te
index b5b799330e5216c87d875d4f8c6d90c7dda7379f..455442f1215a0f080c68f343dd3cd5d7cdfc0582 100644
--- a/init.te
+++ b/init.te
@@ -117,3 +117,7 @@ allow init kernel:process setsched;
 neverallow { domain -kernel} init:process dyntransition;
 neverallow domain init:process transition;
 neverallow init { file_type fs_type }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow init shell_data_file:lnk_file read;
+neverallow init app_data_file:lnk_file read;