diff --git a/Android.mk b/Android.mk
index a3cd385416e2f6e5738b908cd12231cc9f94c4d3..fa6cd783615295728902f92250a1dc7d8e051ae3 100644
--- a/Android.mk
+++ b/Android.mk
@@ -10,14 +10,6 @@ POLICYVERS ?= 26
 MLS_SENS=1
 MLS_CATS=1024
 
-ifeq ($(TARGET_BUILD_VARIANT),user)
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell.te
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te
-else
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell_user.te
-	BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te
-endif
-
 # Quick edge case error detection for BOARD_SEPOLICY_REPLACE.
 # Builds the singular path for each replace file.
 sepolicy_replace_paths :=
@@ -77,7 +69,7 @@ $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
 $(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
-	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@
+	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -D target_build_variant=$(TARGET_BUILD_VARIANT) -s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
 
 $(LOCAL_BUILT_MODULE) : $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
diff --git a/shell.te b/shell.te
index 18c1dfc223190348963d5099cb9a5333b897660d..6b9f99602cf8d6d2c828dfe2aecaaafaf4ece75a 100644
--- a/shell.te
+++ b/shell.te
@@ -9,7 +9,9 @@ net_domain(shell)
 # XXX Transition into its own domain?
 app_domain(shell)
 
-# userdebug/eng shell is also permissive to permit setenforce.
-permissive shell;
+userdebug_or_eng(`
+  # userdebug/eng shell is also permissive to permit setenforce.
+  permissive shell;
+')
 
 # inherits from shelldomain.te
diff --git a/shell_user.te b/shell_user.te
deleted file mode 100644
index ad30802c7f199866b27be85e75c609ca834801d7..0000000000000000000000000000000000000000
--- a/shell_user.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# Domain for shell processes spawned by ADB
-type shell, domain, shelldomain, mlstrustedsubject;
-type shell_exec, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# inherits from shelldomain.te
diff --git a/su.te b/su.te
index 2a3d0075d6e372ca9ea4d3a1083fc65649db1977..b4b9f6dadc5d6b2938a02e1298f4b8ed82f0ab42 100644
--- a/su.te
+++ b/su.te
@@ -1,13 +1,17 @@
-type su, domain;
+# File types must be defined for file_contexts.
 type su_exec, exec_type, file_type;
-domain_auto_trans(shell, su_exec, su)
 
-# Allow dumpstate to call su on userdebug / eng builds to collect
-# additional information.
-domain_auto_trans(dumpstate, su_exec, su)
+userdebug_or_eng(`
+  type su, domain;
+  domain_auto_trans(shell, su_exec, su)
 
-# su is unconfined.
-unconfined_domain(su)
+  # Allow dumpstate to call su on userdebug / eng builds to collect
+  # additional information.
+  domain_auto_trans(dumpstate, su_exec, su)
 
-# su is also permissive to permit setenforce.
-permissive su;
+  # su is unconfined.
+  unconfined_domain(su)
+
+  # su is also permissive to permit setenforce.
+  permissive su;
+')
diff --git a/su_user.te b/su_user.te
deleted file mode 100644
index 6f936a0810bcd73ab39784e4cdc326e84c633798..0000000000000000000000000000000000000000
--- a/su_user.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
-# No allow rules
diff --git a/te_macros b/te_macros
index a05b7aca24893f3da1359df7541a2b0e1e3999de..9396e4f7465d4913c595d57e5b5b85eefd1f16e0 100644
--- a/te_macros
+++ b/te_macros
@@ -321,3 +321,9 @@ allow $1 $1_devpts:chr_file { open getattr read write ioctl };
 # Non system_app application set
 #
 define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))