diff --git a/public/app.te b/public/app.te
index b0f6cb22f9a3e76b37f28c0a5ef4ea68e62f4d30..05e68b6729d0c57696d37240275b571f083f8e2e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -174,6 +174,7 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow {
     untrusted_app_25
@@ -182,9 +183,7 @@ allow {
     priv_app
     system_app
     platform_app
-    shell
 } proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
 r_dir_file({
@@ -194,7 +193,6 @@ r_dir_file({
     priv_app
     system_app
     platform_app
-    shell
 }, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
@@ -205,7 +203,6 @@ allow {
     priv_app
     system_app
     platform_app
-    shell
 } qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
diff --git a/public/shell.te b/public/shell.te
index 5e2745be4fecc556cead8337fad006378e17ef75..c5033ecfc04c327346a83cb48f6ac0d9d7e707d5 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -121,6 +121,7 @@ allow shell {
   proc_meminfo
   proc_modules
   proc_pid_max
+  proc_qtaguid_stat
   proc_stat
   proc_timer
   proc_uptime