diff --git a/app.te b/app.te
index 1ee307550f9b26668515e57b760fd42bbde1f337..b6701693b6eef581c74582eded022caeea089b2c 100644
--- a/app.te
+++ b/app.te
@@ -78,6 +78,7 @@ allow appdomain anr_data_file:file { open append };
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain shell_data_file:file { write getattr };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
@@ -321,7 +322,7 @@ neverallow { appdomain -platform_app -unconfineddomain }
     { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -shell -unconfineddomain }
     shell_data_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
+    { create setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -bluetooth -unconfineddomain }
     bluetooth_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/binderservicedomain.te b/binderservicedomain.te
index cf2943da6f73b2d44e3977a8dd2822b9fd17daf5..5990301458948c510e27836536d1a4d5fa75f5e8 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -3,6 +3,7 @@
 # Allow dumpstate to collect information from binder services
 allow binderservicedomain dumpstate:fd use;
 allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain shell_data_file:file { getattr write };
 
 # Allow dumpsys to work from adb shell
 allow binderservicedomain devpts:chr_file rw_file_perms;
diff --git a/media_app.te b/media_app.te
index 830cbd5bbeadc9605bcc706129434007f11e674b..65f38636b0e11c7297556a0325769f54d8eab1c2 100644
--- a/media_app.te
+++ b/media_app.te
@@ -5,6 +5,7 @@
 type media_app, domain;
 app_domain(media_app)
 platform_app_domain(media_app)
+binder_service(media_app)
 # Access the network.
 net_domain(media_app)
 # Access /dev/mtp_usb.
diff --git a/nfc.te b/nfc.te
index 9a354bb58a1b8216d7ba08a45e70e8f4823bc181..ca7a89d97cd15863f0e5a8199574d25d48015c16 100644
--- a/nfc.te
+++ b/nfc.te
@@ -1,6 +1,7 @@
 # nfc subsystem
 type nfc, domain;
 app_domain(nfc)
+binder_service(nfc)
 
 # NFC device access.
 allow nfc nfc_device:chr_file rw_file_perms;
diff --git a/radio.te b/radio.te
index a119d75cfd523e56918818a8841003539f48e2d2..d5bf42b192bcaee061fd2c0ab05da52dcdcb5a64 100644
--- a/radio.te
+++ b/radio.te
@@ -3,6 +3,7 @@ type radio, domain;
 app_domain(radio)
 net_domain(radio)
 bluetooth_domain(radio)
+binder_service(radio)
 
 # Talks to init via the property socket.
 unix_socket_connect(radio, property, init)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index edbe22ff2e11d66fb42284a9173d0c4e2a0fb7d5..24c20ebfc09d88fc38ee7e1e8e9252db97d37cf9 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -43,7 +43,6 @@ allow surfaceflinger bootanim:fd use;
 # Allow a dumpstate triggered screenshot
 binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
-allow surfaceflinger shell_data_file:file write;
 
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
diff --git a/system_app.te b/system_app.te
index 41e446be8db5c359573be939e2db49c50f0247fa..a80cc4548ee083cb83e8103aa8d6a09c52ac7157 100644
--- a/system_app.te
+++ b/system_app.te
@@ -6,6 +6,7 @@
 type system_app, domain;
 permissive_or_unconfined(system_app)
 app_domain(system_app)
+binder_service(system_app)
 
 # Perform binder IPC to any app domain.
 binder_call(system_app, appdomain)