diff --git a/private/app.te b/private/app.te
index 81de403aa049522f126fb7138e67583d1e163d70..1cf86ff468a79e8c64fb64f088a766537ee914ea 100644
--- a/private/app.te
+++ b/private/app.te
@@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
 allow appdomain runas_exec:file getattr;
 # Others are either allowed elsewhere or not desired.
 
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@@ -441,6 +436,11 @@ neverallow appdomain
 # Access to syslog(2) or /proc/kmsg.
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;
diff --git a/private/shell.te b/private/shell.te
index c24bfd329a4df2a6fd00603eceacf11fe45b8ebc..9bc0bd150c196957ce022dcfbf3967229d1cc4e2 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -13,3 +13,7 @@ app_domain(shell)
 
 # allow shell to call dumpsys storaged
 binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 5702aced242ba1b24649cfa971fa6133176146e4..64ad3e64f612dd46abaaace7d7b397df01d57681 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -292,33 +292,3 @@ auditallow {
   -vold
 } proc_meminfo:file r_file_perms;
 ')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')