diff --git a/app.te b/app.te
index 9a86d1c1e3ac8f2943217d03d4d9942bb40c001d..7de624b7a03d25688d6df136fe60c6a3fc4fed88 100644
--- a/app.te
+++ b/app.te
@@ -278,8 +278,6 @@ neverallow appdomain socket_device:sock_file write;
 # Unix domain sockets.
 neverallow appdomain adbd_socket:sock_file write;
 neverallow appdomain installd_socket:sock_file write;
-neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
-    property_socket:sock_file write;
 neverallow { appdomain -radio } rild_socket:sock_file write;
 neverallow appdomain vold_socket:sock_file write;
 neverallow appdomain zygote_socket:sock_file write;
@@ -385,10 +383,6 @@ neverallow { appdomain -system_app -shell }
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;
 
-# Ability to set system properties.
-neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
-    property_type:property_service set;
-
 # prevent creation/manipulation of globally readable symlinks
 neverallow appdomain {
   apk_data_file
diff --git a/isolated_app.te b/isolated_app.te
index 2cf5578953386ce4f59dff4dfe4a568d2a742730..9bcb018cad4198fcac2e90d32284cfda589f1ff4 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -29,6 +29,10 @@ allow isolated_app self:process ptrace;
 ##### Neverallow
 #####
 
+# Do not allow isolated_app to set system properties.
+neverallow isolated_app property_socket:sock_file write;
+neverallow isolated_app property_type:property_service set;
+
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;
 
diff --git a/untrusted_app.te b/untrusted_app.te
index 5d48970aac2c5845d9b489d95c28c4bcb0d96c19..055844341c45ddb7544890691f2ebc7c66a32775 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -142,3 +142,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
 neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted_app to set system properties.
+neverallow untrusted_app property_socket:sock_file write;
+neverallow untrusted_app property_type:property_service set;