diff --git a/app.te b/app.te
index 3400836f8fb047187b5d0f3da40839aa50626645..b31fce09fee72f89b1ddc9a80e54378e4119ab0c 100644
--- a/app.te
+++ b/app.te
@@ -281,8 +281,6 @@ neverallow appdomain socket_device:sock_file write;
 # Unix domain sockets.
 neverallow appdomain adbd_socket:sock_file write;
 neverallow appdomain installd_socket:sock_file write;
-neverallow { appdomain -bluetooth -radio -shell -system_app -nfc }
-    property_socket:sock_file write;
 neverallow { appdomain -radio } rild_socket:sock_file write;
 neverallow appdomain vold_socket:sock_file write;
 neverallow appdomain zygote_socket:sock_file write;
@@ -388,10 +386,6 @@ neverallow { appdomain -system_app -shell }
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;
 
-# Ability to set system properties.
-neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
-    property_type:property_service set;
-
 # prevent creation/manipulation of globally readable symlinks
 neverallow appdomain {
   apk_data_file
diff --git a/isolated_app.te b/isolated_app.te
index ff9b525d63bae60b55c598f50afdd71a5844f79f..4d37b51094d48982a3c4d98eaca694326d6ebd3c 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -29,6 +29,10 @@ allow isolated_app self:process ptrace;
 ##### Neverallow
 #####
 
+# Do not allow isolated_app to set system properties.
+neverallow isolated_app property_socket:sock_file write;
+neverallow isolated_app property_type:property_service set;
+
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;
 
diff --git a/untrusted_app.te b/untrusted_app.te
index 0aca8b0f8474c57194ea46d712666f69f1fc0d2a..b5a00d6e9422a8e7ccb8de3457837213fd2ea174 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -147,3 +147,7 @@ neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioct
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
 neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted_app to set system properties.
+neverallow untrusted_app property_socket:sock_file write;
+neverallow untrusted_app property_type:property_service set;