diff --git a/public/domain.te b/public/domain.te
index 5df7a4351869eb1aa90c40a487724201b4049167..86890172840b82e2fab2efbdcfd2cca61c9d73e6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -271,9 +271,7 @@ neverallow * *:{ blk_file chr_file } rename;
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
-# init is exempt from this as there are character devices that only it uses.
-# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+neverallow domain device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
diff --git a/public/init.te b/public/init.te
index debdc398a1b669e3acc25e032f9e0440eb5e1714..1bc2dc6a3693c48f4fe8eedfef324db11bf02a76 100644
--- a/public/init.te
+++ b/public/init.te
@@ -195,8 +195,13 @@ userdebug_or_eng(`
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
 
+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+auditallow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+
 # chown/chmod on devices.
-allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;
 
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
@@ -318,11 +323,6 @@ allow init hw_random_device:chr_file r_file_perms;
 # only ever accessed by init.
 allow init device:file create_file_perms;
 
-# Access character devices without a specific type,
-# TODO: Remove this access and auditallow (b/33347297)
-allow init device:chr_file { rw_file_perms setattr };
-auditallow init device:chr_file { rw_file_perms setattr };
-
 # keychord configuration
 allow init self:capability sys_tty_config;
 allow init keychord_device:chr_file rw_file_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 11235ed35ad34591154f7b0b2725cd0a1dbbce53..b0706c89508b09d1639adefda2f6e5a5995a0266 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -7,8 +7,6 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
-allow ueventd device:chr_file rw_file_perms;
-auditallow ueventd device:chr_file rw_file_perms;
 
 r_dir_file(ueventd, sysfs_type)
 r_dir_file(ueventd, rootfs)