diff --git a/app.te b/app.te
index 296a536470c6b49acdad9778fab68c9ea15b71c2..6116757825b449394d94dd728a4fbb959cf9d34c 100644
--- a/app.te
+++ b/app.te
@@ -317,9 +317,9 @@ neverallow { appdomain -unconfineddomain }
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app -unconfineddomain }
+neverallow { appdomain -system_app }
     kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -unconfineddomain -shelldomain }
+neverallow { appdomain -system_app -shelldomain }
     kernel:system syslog_read;
 
 # Ability to perform any filesystem operation other than statfs(2).
diff --git a/init.te b/init.te
index e94ca47842233da54cae91aa7deb461fd3c7803b..028c46109d12338282f2fa7e0fc4b08a013c47bc 100644
--- a/init.te
+++ b/init.te
@@ -12,6 +12,7 @@ allow init dev_type:blk_file rw_file_perms;
 allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
+allow init kernel:system syslog_mod;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 
diff --git a/unconfined.te b/unconfined.te
index 326904a039fb1c914f498daf40d8b22ee3b0079e..d4009f0acc5b521bc06b240f8f65b519b8badd39 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
-allow unconfineddomain kernel:system *;
+allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;