diff --git a/app.te b/app.te
index 2589f660b904cfdac6fbeb4ce7c738480e2d1167..3081f53887f2dff6e05daf5a1a1be25850b44e04 100644
--- a/app.te
+++ b/app.te
@@ -191,13 +191,6 @@ neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
     { read write };
 neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
 
-# Set SELinux enforcing mode, booleans or any other SELinux settings.
-neverallow { appdomain -unconfineddomain } kernel:security
-    { setenforce setbool setsecparam setcheckreqprot };
-
-# Load security policy.
-neverallow appdomain kernel:security load_policy;
-
 # Privileged netlink socket interfaces.
 neverallow { appdomain -unconfineddomain }
     self:{
diff --git a/domain.te b/domain.te
index e856288de46a9f17ce682d8cbb32b7e402aa58fc..c3292459125fda3a43c8a8be544ded6370e79e60 100644
--- a/domain.te
+++ b/domain.te
@@ -183,6 +183,14 @@ neverallow { domain -init } kernel:security load_policy;
 # switching domains, there is never any need to setenforce again by init.
 neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
 
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow domain kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
 
diff --git a/netd.te b/netd.te
index 19fcad22eacad8adb844b79e6057caf16424df93..50208981f25dd1068dfb653cb3e85107e9cf7da2 100644
--- a/netd.te
+++ b/netd.te
@@ -68,12 +68,6 @@ allow netd ctl_default_prop:property_service set;
 # Block device access.
 neverallow netd dev_type:blk_file { read write };
 
-# Setting SELinux enforcing status or booleans.
-neverallow netd kernel:security { setenforce setbool };
-
-# Load security policy.
-neverallow netd kernel:security load_policy;
-
 # ptrace any other app
 neverallow netd { domain }:process ptrace;
 
diff --git a/unconfined.te b/unconfined.te
index 80d42b3e70caadf7217b61c5ac004bd369bc420e..c3355c7451aa328dbb44f76add03b6c6d30c7496 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -18,7 +18,7 @@
 
 allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
-allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
 allow unconfineddomain domain:fd *;