diff --git a/shell.te b/shell.te
index f87027daf9e9337f9a809dfb709ed7feee23805f..9622905b4400103177033687b75da466f1c20f5d 100644
--- a/shell.te
+++ b/shell.te
@@ -112,6 +112,14 @@ allow shell bootchart_data_file:file create_file_perms;
 # Make sure strace works for the non-privileged shell user
 allow shell self:process ptrace;
 
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+
 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion
@@ -119,6 +127,3 @@ allow shell self:process ptrace;
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;