diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index d95e5bfab9369c4152f4e5c13ca5650c866c2562..687ce7d23c0821119b040f16a6b2f1b20266ab6c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -91,6 +91,9 @@ neverallow { all_untrusted_apps -mediaprovider } {
   ')
 }:dir_file_class_set { create unlink };
 
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
 # Do not allow untrusted apps to directly open tun_device
 neverallow all_untrusted_apps tun_device:chr_file open;
 
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b4fc54e159cad5d6a3c6f60532a54b50ae..fd4634a30aa132da435fd15f876231fbe78330c3 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@ allow platform_app preloads_media_file:file r_file_perms;
 allow platform_app preloads_media_file:dir r_dir_perms;
 
 read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101e4f26d6c5dde7b33ebf1f70415c46ea9f..7950044baaea6eb5eb00ed30f98ead14fd69b27c 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@ r_dir_file(system_app, sysfs_type)
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/public/domain.te b/public/domain.te
index 9f28928a51f903672410694b9be8e66f7edd7a88..168e0bbdb76f263769b8eebc8ec61c45f2e75852 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -988,26 +988,6 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
 
-neverallow {
-  domain
-  -init
-  -recovery
-  -sdcardd
-  -vold
-} fuse_device:chr_file open;
-neverallow {
-  domain
-  -dumpstate
-  -init
-  -priv_app
-  -recovery
-  -sdcardd
-  -shell # Restricted by shell.te to only getattr
-  -system_server
-  -ueventd
-  -vold
-} fuse_device:chr_file *;
-
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
 neverallow {