diff --git a/private/file_contexts b/private/file_contexts
index 597c9148a293123d1dd203212a8a99431fefcecb..4719f105451540b45354ad98456f3d595b50b471 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -85,6 +85,7 @@
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0
 /dev/pn544		u:object_r:nfc_device:s0
+/dev/port		u:object_r:port_device:s0
 /dev/ppp		u:object_r:ppp_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/pvrsrvkm		u:object_r:gpu_device:s0
diff --git a/public/device.te b/public/device.te
index f01dc6619bb03c2318b5baffbf0e10cad901d43e..93f3e8896b84c823ce16573c67da9926d7f6286b 100644
--- a/public/device.te
+++ b/public/device.te
@@ -27,6 +27,7 @@ type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
+type port_device, dev_type;
 type log_device, dev_type, mlstrustedobject;
 type mtd_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index c78af07560e63e224171011a832c20a4355b5644..30dbd7e7301ed4d7cadb3e2e317cdb89525a0c5e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -268,13 +268,18 @@ neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow {
   domain
-  -init
-  -kernel
   -shell # For CTS and is restricted to getattr in shell.te
   -ueventd # Further restricted in ueventd.te
 } kmem_device:chr_file *;
 neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+  domain
+  -shell # Shell user should not have any abilities outside of getattr
+  -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
diff --git a/public/init.te b/public/init.te
index 235f70c356b2332cf7ad3667a856ae778da41f3d..2e2e16cfcd9d11081604c66a8b55d6268ec83476 100644
--- a/public/init.te
+++ b/public/init.te
@@ -184,7 +184,7 @@ allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
 # chown/chmod on devices.
-allow init { dev_type -kmem_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
 
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
diff --git a/public/shell.te b/public/shell.te
index b00c9efd4f18ac8292a1a5fe16b1c2984fc5aedb..591dabc9863a9723e3eb54ba2b4da79216a85bf6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -178,6 +178,7 @@ neverallow shell {
   fuse_device
   hw_random_device
   kmem_device
+  port_device
 }:chr_file ~getattr;
 
 # Limit shell to only getattr on blk devices for host side tests.
diff --git a/public/ueventd.te b/public/ueventd.te
index 46787c4de5546eea04c30c0eb057e2591657f42f..3f1dcd4733afcbe0c70d9c77ba0b3dd12c436a69 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -46,5 +46,5 @@ neverallow ueventd property_type:property_service set;
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
 
-# Only relabelto as we would never want to relabelfrom kmem_device
-neverallow ueventd kmem_device:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };