diff --git a/app.te b/app.te
index b8b9066c17ef6b410731c65a6b97637b3988b597..4abf5944faaf70465cecaf02546d4bb115d47878 100644
--- a/app.te
+++ b/app.te
@@ -90,7 +90,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute };
+allow appdomain gpu_device:chr_file { rw_file_perms execute };
 
 # Use the Binder.
 binder_use(appdomain)
diff --git a/isolated_app.te b/isolated_app.te
index a035901b74f613c658aba4da83a9ddb00829bc88..a156838bbdb0c91392c252016409e1732851faaf 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,9 +13,6 @@ type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)
 
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:file { rw_file_perms execute };
-
 # read and write access to app_data_file is already
 # granted via app.te. Allow execute.
 # Needed to allow dlopen() from Chrome renderer processes.