diff --git a/app.te b/app.te
index bc42465862f8ee893c774bd162e9bc224b456835..94dcfc5bdd443dd337a25c75b804c9998f36c891 100644
--- a/app.te
+++ b/app.te
@@ -396,3 +396,6 @@ neverallow appdomain {
   security_file
   tmpfs
 }:lnk_file no_w_file_perms;
+
+# Do not allow Apps to directly open tun_device
+neverallow appdomain tun_device:chr_file open;
diff --git a/bluetooth.te b/bluetooth.te
index 826856c2706d598cd2f7b9fd6464e51827b4ff0a..c50975765bd82fd7a8837d9d8076a985315892e9 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -16,12 +16,7 @@ allow bluetooth bluetooth_socket:sock_file create_file_perms;
 # bluetooth factory file accesses.
 r_dir_file(bluetooth, bluetooth_efs_file)
 
-# TODO why does bluetooth require access to tun_device? If not,
-# remove access and tighten down neverallow rule so that appdomain is
-# not allowed to open (as opposed to just untrusted_app)
-# Device accesses. b/24744295
-allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
-auditallow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
 
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 0e715469b45363b332a310f86e139ce53636bc11..df9c677512fb390b221cb9d91188233386c87376 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -145,9 +145,6 @@ neverallow untrusted_app file_type:file link;
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
-# Do not allow untrusted app to directly open tun_device
-neverallow untrusted_app tun_device:chr_file open;
-
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
 neverallow untrusted_app cache_file:file ~{ read getattr };