diff --git a/init_shell.te b/init_shell.te
index 8ff5c488f05311e2411a7b1c3ec9ece13b436006..e1ca03a0ce195f58ea357c70d758d4bbefb17d22 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,4 +1,6 @@
-# Restricted domain for shell processes spawned by init
+# Restricted domain for shell processes spawned by init.
+# Normally these are shell commands or scripts invoked via sh
+# from an init*.rc file.  No service should ever run in this domain.
 type init_shell, domain, shelldomain;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)
diff --git a/shell.te b/shell.te
index ad30802c7f199866b27be85e75c609ca834801d7..b5f037705c76433e4ef6c163fc320e41e3fcf368 100644
--- a/shell.te
+++ b/shell.te
@@ -1,4 +1,4 @@
-# Domain for shell processes spawned by ADB
+# Domain for shell processes spawned by ADB or console service.
 type shell, domain, shelldomain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
 
diff --git a/su.te b/su.te
index 1317fb2a2ec78301adaf5ae1545701a010c45d77..5ba57760ff3f945634789302811b11e5ffdd8c2c 100644
--- a/su.te
+++ b/su.te
@@ -2,6 +2,9 @@
 type su_exec, exec_type, file_type;
 
 userdebug_or_eng(`
+  # Domain used for su processes, as well as for adbd and adb shell
+  # after performing an adb root command.  The domain definition is
+  # wrapped to ensure that it does not exist at all on -user builds.
   type su, domain;
   domain_auto_trans(shell, su_exec, su)