diff --git a/public/domain.te b/public/domain.te
index 232ecc9e90adf85d5cfdade7272a15682f6e66ea..b2961ca0b967daa225ee43d117d130eb1beb9a0e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -914,6 +914,7 @@ full_treble_only(`
     neverallow {
       coredomain
       -init
+      -shell
       -system_executes_vendor_violators
     } {
       vendor_file_type
@@ -924,6 +925,7 @@ full_treble_only(`
 
     neverallow {
       coredomain
+      -shell
       -system_executes_vendor_violators
     } vendor_file_type:file execute_no_trans;
 ')
diff --git a/public/shell.te b/public/shell.te
index 32ad7701df46c3c90ef9bee19ed86c26f0c35f2e..5e2745be4fecc556cead8337fad006378e17ef75 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -190,8 +190,6 @@ allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
 
 # Allow shell to start up vendor shell
-# TODO(b/62041836): system processes should not run vendor executables.
-typeattribute shell system_executes_vendor_violators;
 allow shell vendor_shell_exec:file rx_file_perms;
 
 ###