diff --git a/private/app.te b/private/app.te
index 9e628fd4c744517b637bb674da8e868970830f8d..8c2d01bf0bdb274bf05acf596eb61e898f570506 100644
--- a/private/app.te
+++ b/private/app.te
@@ -312,11 +312,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
 allow appdomain runas_exec:file getattr;
 # Others are either allowed elsewhere or not desired.
 
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@@ -480,6 +475,11 @@ neverallow appdomain
 # Access to syslog(2) or /proc/kmsg.
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;
diff --git a/private/shell.te b/private/shell.te
index c0b4ee5a7b005bfb46667b446cd5c6cf5501da54..ebe994e6b8092c6e00db9c9f3f7968476aa98608 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -17,3 +17,7 @@ app_domain(shell)
 
 # allow shell to call dumpsys storaged
 binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 8e6fa8129041a56f92de3ef3a6a2572ccb6c8cc1..04a26c3e56d84046eac07dc0aba58ffcdf64625f 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -284,33 +284,3 @@ auditallow {
   -vold
 } proc_meminfo:file r_file_perms;
 ')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')