diff --git a/private/bluetooth.te b/private/bluetooth.te
index e8c0e76a2f87871fda87e459fb8b19f0419c291e..40ce8c1663f65211533d9705179684fc1b201333 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -3,7 +3,4 @@
 # Socket creation under /data/misc/bluedroid.
 type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
 
-# app_domain macro fallout
-tmpfs_domain(bluetooth)
-# Map with PROT_EXEC.
-allow bluetooth bluetooth_tmpfs:file execute;
+app_domain(bluetooth)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 0a9901aa33125eba55096646376db5e86c967920..a2777526ac034c3f05dce5d1949ad29aa446feb8 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(isolated_app)
-# Map with PROT_EXEC.
-allow isolated_app isolated_app_tmpfs:file execute;
+app_domain(isolated_app)
 
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;
diff --git a/private/nfc.te b/private/nfc.te
index 33b5477026741cdef2971aae14bcaff1118151ad..52b0d20383b3a43ce781537a7f7e01b9acc7461a 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,4 +1 @@
-# app_domain_fallout
-tmpfs_domain(nfc)
-# Map with PROT_EXEC.
-allow nfc nfc_tmpfs:file execute;
+app_domain(nfc)
\ No newline at end of file
diff --git a/private/platform_app.te b/private/platform_app.te
index e478039fcd235bc90748c7b70c69584aae9c30dd..93cdc75a6cc4803090ef2cfd3d1508e2392857ae 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(platform_app)
-# Map with PROT_EXEC.
-allow platform_app platform_app_tmpfs:file execute;
+app_domain(platform_app)
\ No newline at end of file
diff --git a/private/priv_app.te b/private/priv_app.te
index 9a535d905e678d944e3d65af1452389e8141b75e..4e7e33075ad950e1ae97aff8c7c439da0707de78 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(priv_app)
-# Map with PROT_EXEC.
-allow priv_app priv_app_tmpfs:file execute;
+app_domain(priv_app)
 
 # Allow the allocation and use of ptys
 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
diff --git a/private/radio.te b/private/radio.te
index 7218b2311ed94d9126ad6bd442f98e28f3fd5342..dede5d755160243194ff86fc1f0e67a2f5464150 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(radio)
-# Map with PROT_EXEC.
-allow radio radio_tmpfs:file execute;
+app_domain(radio)
\ No newline at end of file
diff --git a/private/shared_relro.te b/private/shared_relro.te
index c3c43ab7ba7a3e6ac110730da691344888605443..b1ba0ff4a323127bbab48dfb8475792886f845e5 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,4 +1,3 @@
-# app_domain fallout
-tmpfs_domain(shared_relro)
-# Map with PROT_EXEC.
-allow shared_relro shared_relro_tmpfs:file execute;
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
index 802ffc0ab127bf3ba0aa63e926a42fd7243b70db..333265f8b3668bdd8beb03355353b01b20af1d64 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -4,7 +4,6 @@ allow shell debugfs_tracing:file rw_file_perms;
 allow shell debugfs_trace_marker:file getattr;
 allow shell atrace_exec:file rx_file_perms;
 
-# app_domain fallout
-tmpfs_domain(shell)
-# Map with PROT_EXEC.
-allow shell shell_tmpfs:file execute;
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
diff --git a/private/su.te b/private/su.te
index 3dda00f9b6eb7a9583ac3262009febb9b39e333c..b594ebed45dc24ed8fe62fcd29aacc8fd80672cb 100644
--- a/private/su.te
+++ b/private/su.te
@@ -11,8 +11,5 @@ userdebug_or_eng(`
 # su is also permissive to permit setenforce.
   permissive su;
 
-  # app_domain fallout
-  tmpfs_domain(su)
-  # Map with PROT_EXEC.
-  allow su su_tmpfs:file execute;
+  app_domain(su)
 ')
diff --git a/private/system_app.te b/private/system_app.te
index 4319c979c26bf17432cf7f352f6e4f19a90d4023..f6b03053fca91363cdd8e493b04f9852e3d18d96 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -1,4 +1 @@
-# app_domain fallout
-tmpfs_domain(system_app)
-# Map with PROT_EXEC.
-allow system_app system_app_tmpfs:file execute;
+app_domain(system_app)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index c9ed000f238b8c8cb5377f1e2f2fe4b4a8c78d2a..b142ebfa0b56f4a3151e4a1b85b7c4e19d868e17 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -1,7 +1,4 @@
-# app_domain fallout
-tmpfs_domain(untrusted_app)
-# Map with PROT_EXEC.
-allow untrusted_app untrusted_app_tmpfs:file execute;
+app_domain(untrusted_app)
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 738d9c2069f857fd41b9da8ff5eeb22c3c757398..75a11f43ea02a271fe10f5e195b8094370412f4a 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,6 +1,6 @@
 # bluetooth subsystem
 type bluetooth, domain, domain_deprecated;
-app_domain(bluetooth)
+
 net_domain(bluetooth)
 # Allow access to net_admin ioctls
 allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 0fe2e6189e383f409bff8d947ff94eaee5078776..f2216ee9d866457b3f49fb39e3db93f3f0c72c1c 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -10,7 +10,6 @@
 ###
 
 type isolated_app, domain;
-app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
 allow isolated_app app_data_file:file { append read write getattr lock };
diff --git a/public/nfc.te b/public/nfc.te
index 3d40867db1b7cecd89111152b9a053927d8232a8..f887c2894866e45fb50f5cd099aa7c241143de13 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,6 +1,6 @@
 # nfc subsystem
 type nfc, domain, domain_deprecated;
-app_domain(nfc)
+
 net_domain(nfc)
 binder_service(nfc)
 
diff --git a/public/platform_app.te b/public/platform_app.te
index 8a988e5625069768ae48568c7c655892fa6bbdb7..64843195b347b7ac5c52a3620d5ba537d4ff8c6c 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,7 +3,7 @@
 ###
 
 type platform_app, domain, domain_deprecated;
-app_domain(platform_app)
+
 # Access the network.
 net_domain(platform_app)
 # Access bluetooth.
diff --git a/public/priv_app.te b/public/priv_app.te
index 9ee347fbbc50b43f07d7d4a63030414ae72a1f04..94d67172506ecc2ed0669c71dfd90717bafb7808 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -2,7 +2,7 @@
 ### A domain for further sandboxing privileged apps.
 ###
 type priv_app, domain, domain_deprecated;
-app_domain(priv_app)
+
 # Access the network.
 net_domain(priv_app)
 # Access bluetooth.
diff --git a/public/radio.te b/public/radio.te
index b2a878e1928ba56c24f2dfc171fc14e9ebadc83e..07444afcd38c96c9e5ad6f0e30adec09f87c08a5 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,6 +1,6 @@
 # phone subsystem
 type radio, domain, domain_deprecated, mlstrustedsubject;
-app_domain(radio)
+
 net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 30af14a08b564aed22184f097330128f6fda240b..9794b0b8a690f305c95ec757176c96d79c376345 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,10 +1,6 @@
 # Process which creates/updates shared RELRO files to be used by other apps.
 type shared_relro, domain, domain_deprecated;
 
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;
 allow shared_relro shared_relro_file:file create_file_perms;
diff --git a/public/shell.te b/public/shell.te
index a39b39ffd25f4911fc97f242a13c15bf13f7e20d..38a890c62c29d5f7e8c78bb3f683a9263758131c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -5,10 +5,6 @@ type shell_exec, exec_type, file_type;
 # Create and use network sockets.
 net_domain(shell)
 
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
 # logcat
 read_logd(shell)
 control_logd(shell)
diff --git a/public/su.te b/public/su.te
index 0f8132579037293a1ea6d1b5aac82fb373764e0a..38d7f5cad4d7747a081ba2525ab7a3d336a64d80 100644
--- a/public/su.te
+++ b/public/su.te
@@ -9,7 +9,6 @@ userdebug_or_eng(`
 
   # Add su to various domains
   net_domain(su)
-  app_domain(su)
 
   dontaudit su self:capability_class_set *;
   dontaudit su kernel:security *;
diff --git a/public/system_app.te b/public/system_app.te
index 6be67313d3393d020c4fec70d1b200f1ea3c8841..9eddf65880b5ea54df0c6aa6dbe82c8e9cfa173f 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -4,7 +4,7 @@
 # server.
 #
 type system_app, domain, domain_deprecated;
-app_domain(system_app)
+
 net_domain(system_app)
 binder_service(system_app)
 
diff --git a/public/te_macros b/public/te_macros
index 0a20d925074d676dae8a0623186b285138d28f12..6a1a5ffe38e7c2d6b1a679ebfec1eb6b4055c764 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -95,6 +95,10 @@ tmpfs_domain($1)
 # Allow a base set of permissions required for all apps.
 define(`app_domain', `
 typeattribute $1 appdomain;
+# Label ashmem objects with our own unique type.
+tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
 ')
 
 #####################################
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index ac86330f813c95003144c082c809ba5a47860202..48662f3d9bc29850ae40a4d4824e393da8db545f 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -21,7 +21,7 @@
 ###
 
 type untrusted_app, domain;
-app_domain(untrusted_app)
+
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)