diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7827c8b11aef54ea953c99aafc2e45328c5667cb..09177240e5f69c5ad85d204411f5bff1c0bf8628 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -91,6 +91,9 @@ neverallow all_untrusted_apps {
   ')
 }:dir_file_class_set { create unlink };
 
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
 # Do not allow untrusted apps to directly open tun_device
 neverallow all_untrusted_apps tun_device:chr_file open;
 
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b4fc54e159cad5d6a3c6f60532a54b50ae..fd4634a30aa132da435fd15f876231fbe78330c3 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@ allow platform_app preloads_media_file:file r_file_perms;
 allow platform_app preloads_media_file:dir r_dir_perms;
 
 read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101e4f26d6c5dde7b33ebf1f70415c46ea9f..7950044baaea6eb5eb00ed30f98ead14fd69b27c 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@ r_dir_file(system_app, sysfs_type)
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/public/domain.te b/public/domain.te
index ba733d19eeeb132d437fec4e225ec011211d500b..f75b5310a4aa5146fc0acbfb0ed8b597da19e4d1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -988,26 +988,6 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
 
-neverallow {
-  domain
-  -init
-  -recovery
-  -sdcardd
-  -vold
-} fuse_device:chr_file open;
-neverallow {
-  domain
-  -dumpstate
-  -init
-  -priv_app
-  -recovery
-  -sdcardd
-  -shell # Restricted by shell.te to only getattr
-  -system_server
-  -ueventd
-  -vold
-} fuse_device:chr_file *;
-
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
 neverallow {