diff --git a/domain.te b/domain.te
index 11dd58c56dfb79e71c5cb6eeb77e7995378f2295..2515be8ba880a9b6974e2aa53992397450eb0d62 100644
--- a/domain.te
+++ b/domain.te
@@ -198,15 +198,27 @@ neverallow * kernel:security setbool;
 # that could be set from init.rc.
 neverallow { domain -init } kernel:security setsecparam;
 
-# Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
+# Only init, ueventd, shell and system_server should be able to access HW RNG
+neverallow {
+  domain
+  -init
+  -shell # For CTS and is restricted to getattr in shell.te
+  -system_server
+  -ueventd
+} hw_random_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
+neverallow {
+  domain
+  -init
+  -kernel
+  -shell # For CTS and is restricted to getattr in shell.te
+  -ueventd
+} kmem_device:chr_file *;
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
 
 # Only init should be able to configure kernel usermodehelpers or
 # security-sensitive proc settings.
@@ -558,6 +570,7 @@ neverallow {
   -priv_app
   -recovery
   -sdcardd
+  -shell # Restricted by shell.te to only getattr
   -system_server
   -ueventd
   -vold
diff --git a/shell.te b/shell.te
index e045a93435bdf3ee4646bf130a8fdbf31c2ae4dc..e1bd1ed44f47a573045866d69940a8367e4d089a 100644
--- a/shell.te
+++ b/shell.te
@@ -123,6 +123,16 @@ allow shell sysfs:dir r_dir_perms;
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;
 
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
 ###
 ### Neverallow rules
 ###
@@ -134,3 +144,11 @@ allow shell ion_device:chr_file rw_file_perms;
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+  fuse_device
+  hw_random_device
+  kmem_device
+}:chr_file ~getattr;