diff --git a/app.te b/app.te
index 70b1c94e35662e3207734484a21a66ee0db830a4..f166caa06c7c2d28b3a5ccc17a918c8249414413 100644
--- a/app.te
+++ b/app.te
@@ -405,3 +405,9 @@ neverallow appdomain {
   system_file
   tmpfs
 }:lnk_file no_w_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+  appdomain
+  -shell # bugreport
+} input_device:chr_file ~getattr;