diff --git a/public/shell.te b/public/shell.te
index 496d4720f8f31f91e375dcc446003cb69500898a..719036cc94bd308a14749654c3e85fc2e0777d11 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -186,6 +186,8 @@ allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
 
 # Allow shell to start up vendor shell
+# TODO(b/62041836): system processes should not run vendor executables.
+typeattribute shell system_executes_vendor_violators;
 allow shell vendor_shell_exec:file rx_file_perms;
 
 ###