diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1d3e27bd40f2c6ec030b0d5720a01b4bec74e550..ca7f1fa41cf996ce0dc85a2bf83ca4940360e5a9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -84,6 +84,7 @@
     update_engine_log_data_file
     vendor_default_prop
     vendor_init
+    vendor_shell
     vold_prepare_subdirs
     vold_prepare_subdirs_exec
     vold_service
diff --git a/private/shell.te b/private/shell.te
index a3c49db3708d7467b09d3c572b77e4543ab6dbc2..ded9d1f9470e67e998046730a2ab3a3c2ca38706 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -36,3 +36,5 @@ unix_socket_connect(shell, traced_consumer, traced)
 allow shell traced:fd use;
 allow shell traced_tmpfs:file { read write getattr map };
 unix_socket_connect(shell, traced_producer, traced)
+
+domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
diff --git a/public/domain.te b/public/domain.te
index e64b6446435a2d92b512849460a923abe1e41711..2222b88e22999ced9f3e4cd5244f79ba2d10db40 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -874,6 +874,7 @@ full_treble_only(`
         coredomain
         -init
         -vendor_init
+        -shell
     } vendor_shell_exec:file { execute execute_no_trans };
 
     # Do not allow vendor components to execute files from system
diff --git a/public/shell.te b/public/shell.te
index 916af1c753f3bde9907e7ddb6f719936506815f5..496d4720f8f31f91e375dcc446003cb69500898a 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -185,6 +185,9 @@ allow shell seapp_contexts_file:file r_file_perms;
 allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
 
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index b33054290f7091e36066ed3e415d6249a723919e..7d30acba4b8fecfb883eb3613ff13dce6dd7dc4d 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -1,4 +1,19 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
+type vendor_shell, domain;
 type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;