diff --git a/public/app.te b/public/app.te
index 0a9e12825a42edaa6c56abfb2f5d2b8593388d0b..4bdd8bf88a7a9623c03d79f4330f0229f7374b97 100644
--- a/public/app.te
+++ b/public/app.te
@@ -174,6 +174,7 @@ userdebug_or_eng(`
   allow appdomain heapdump_data_file:file append;
 ')
 
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow {
     untrusted_app_25
@@ -182,9 +183,7 @@ allow {
     priv_app
     system_app
     platform_app
-    shell
 } proc_qtaguid_ctrl:file rw_file_perms;
-r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
 r_dir_file({
@@ -194,7 +193,6 @@ r_dir_file({
     priv_app
     system_app
     platform_app
-    shell
 }, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
@@ -205,7 +203,6 @@ allow {
     priv_app
     system_app
     platform_app
-    shell
 } qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
diff --git a/public/shell.te b/public/shell.te
index 5e2745be4fecc556cead8337fad006378e17ef75..c5033ecfc04c327346a83cb48f6ac0d9d7e707d5 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -121,6 +121,7 @@ allow shell {
   proc_meminfo
   proc_modules
   proc_pid_max
+  proc_qtaguid_stat
   proc_stat
   proc_timer
   proc_uptime