diff --git a/domain.te b/domain.te
index 82b5f0d6a0a148002cef2bef3182e85f1934b3f7..f7eb3bce90d7a0057f1eece8122df894b99b19d6 100644
--- a/domain.te
+++ b/domain.te
@@ -212,15 +212,27 @@ neverallow * kernel:security setbool;
 # that could be set from init.rc.
 neverallow { domain -init } kernel:security setsecparam;
 
-# Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
+# Only init, ueventd, shell and system_server should be able to access HW RNG
+neverallow {
+  domain
+  -init
+  -shell # For CTS and is restricted to getattr in shell.te
+  -system_server
+  -ueventd
+} hw_random_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
+neverallow {
+  domain
+  -init
+  -kernel
+  -shell # For CTS and is restricted to getattr in shell.te
+  -ueventd
+} kmem_device:chr_file *;
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
@@ -575,6 +587,7 @@ neverallow {
   -priv_app
   -recovery
   -sdcardd
+  -shell # Restricted by shell.te to only getattr
   -system_server
   -ueventd
   -vold
diff --git a/shell.te b/shell.te
index d8c6dd49b74a0cc5f5b0beb869b21d23ad4b0154..182e5bc9308e2e8bf6edd07c555810037799429e 100644
--- a/shell.te
+++ b/shell.te
@@ -131,6 +131,17 @@ allow shell ion_device:chr_file rw_file_perms;
 allow shell media_rw_data_file:dir create_dir_perms;
 allow shell media_rw_data_file:file create_file_perms;
 
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+
 ###
 ### Neverallow rules
 ###
@@ -145,3 +156,11 @@ neverallow shell file_type:file link;
 
 # Do not allow privileged socket ioctl commands
 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+  fuse_device
+  hw_random_device
+  kmem_device
+}:chr_file ~getattr;