diff --git a/app.te b/app.te
index df0f5df35d72a42e7f5dfbd1162621d954024947..85de816f6b85242e6e475eb39905f3143d51ad69 100644
--- a/app.te
+++ b/app.te
@@ -22,9 +22,6 @@ allow platform_app cache_file:file create_file_perms;
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
-# Access the sdcard.
-allow platform_app sdcard:dir create_dir_perms;
-allow platform_app sdcard:file create_file_perms;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
 
@@ -41,9 +38,6 @@ allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
-# Access sdcard.
-allow media_app sdcard:dir create_dir_perms;
-allow media_app sdcard:file create_file_perms;
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow media_app qtaguid_proc:file rw_file_perms;
 allow media_app qtaguid_device:chr_file r_file_perms;
@@ -86,6 +80,9 @@ net_domain(browser_app)
 # App sandbox file accesses.
 allow platformappdomain platform_app_data_file:dir create_dir_perms;
 allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+# App sdcard file accesses
+allow platformappdomain sdcard:dir create_dir_perms;
+allow platformappdomain sdcard:file create_file_perms;
 
 #
 # Untrusted apps.