diff --git a/app.te b/app.te
index f7f1a21707b24226700f0525c3a9b50e7d2c7f95..60fb0a22d8b5a453c82f22c32a220ed249d9d2d9 100644
--- a/app.te
+++ b/app.te
@@ -231,6 +231,12 @@ auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
 
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
 ###
 ### Neverallow rules
 ###
diff --git a/shell.te b/shell.te
index 55757b0437ae67ea9a9cf3e2cd663a8f81781d4f..887887316a2da2d47a35882399ad7f4707b1b541 100644
--- a/shell.te
+++ b/shell.te
@@ -21,10 +21,6 @@ userdebug_or_eng(`
   allow shell misc_logd_file:file r_file_perms;
 ')
 
-# interact with adb
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { read write ioctl getattr };
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;