diff --git a/device.te b/device.te
index f351c44962b314439991dc0db8f56b23a372675e..d55258ad8956e99e386f4e694f45530df69109d3 100644
--- a/device.te
+++ b/device.te
@@ -33,6 +33,7 @@ type random_device, dev_type;
 type sensors_device, dev_type;
 type serial_device, dev_type;
 type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
 type tty_device, dev_type;
 type urandom_device, dev_type;
 type video_device, dev_type;
diff --git a/domain.te b/domain.te
index 42645cfd348d4337afb65fd287812c26f6f83dd5..a4a06d554d5f4b37adc004440dacf8e221597df6 100644
--- a/domain.te
+++ b/domain.te
@@ -44,6 +44,7 @@ allow domain dev_type:lnk_file read;
 allow domain devpts:dir search;
 allow domain device:file read;
 allow domain socket_device:dir search;
+allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file r_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
diff --git a/file_contexts b/file_contexts
index 1e34bd94e5acfd57b4f54f6cee6a28316bb0a0a0..ccbb99ad0a6869b718bf95e372797edaa49529e3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -101,6 +101,7 @@
 /dev/spdif_out.*	u:object_r:audio_device:s0
 /dev/tegra.*		u:object_r:video_device:s0
 /dev/tf_driver		u:object_r:tee_device:s0
+/dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
 /dev/tun		u:object_r:tun_device:s0
diff --git a/runas.te b/runas.te
index 0a207e6e1619d15e6fb2d1ea2640c41bdd886230..60b086d49b747723ca35f784a062fae47f9b6c51 100644
--- a/runas.te
+++ b/runas.te
@@ -19,15 +19,15 @@ dontaudit shell self:capability { sys_ptrace kill };
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
+allow runas adbd:process sigchld;
 allow runas shell:fd  use;
-allow runas devpts:chr_file { read write };
+allow runas devpts:chr_file { read write ioctl };
 
 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;
 
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
-allow runas self:capability dac_read_search;
 allow runas app_data_file:dir { getattr search };
 
 # run-as switches to the app UID/GID.
@@ -41,18 +41,15 @@ allow runas untrusted_app:process dyntransition; # setcon
 # run-as runs lib/gdbserver from the app data dir.
 allow untrusted_app system_data_file:file rx_file_perms;
 
-# run-as may also run sh or system commands.
-allow untrusted_app shell_exec:file rx_file_perms;
-allow untrusted_app system_file:file rx_file_perms;
-
 # gdbserver reads the zygote.
 allow untrusted_app zygote_exec:file r_file_perms;
 
 # (grand)child death notification.
 allow untrusted_app shell:process sigchld;
+allow untrusted_app adbd:process sigchld;
 
 # child shell or gdbserver pty access.
-allow untrusted_app devpts:chr_file { getattr read write };
+allow untrusted_app devpts:chr_file { getattr read write ioctl };
 
 # gdbserver creates a socket in the app data dir.
 allow untrusted_app app_data_file:sock_file { create unlink };