diff --git a/private/app.te b/private/app.te
index 1bda9f41c0ab8fcd79fd22b4be51910e3bc2967a..0bc5fdd9707dd5bdacf52982a27ba44068c98300 100644
--- a/private/app.te
+++ b/private/app.te
@@ -478,7 +478,6 @@ neverallow appdomain
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
 # SELinux is not an API for apps to use
-neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
 neverallow { appdomain -shell } *:security { compute_av check_context };
 neverallow { appdomain -shell } *:netlink_selinux_socket *;
 
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c762a1e8cca2d26438a859410724bb70becfe0b..9277d4181ace705d4db6d726698288da508bd8fd 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -166,6 +166,9 @@ neverallow all_untrusted_apps {
   -hidl_token_hwservice # Designed for use by any domain
 }:hwservice_manager find;
 
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
+
 # Restrict *Binder access from apps to HAL domains. We can only do this on full
 # Treble devices where *Binder communications between apps and HALs are tightly
 # restricted.
diff --git a/private/priv_app.te b/private/priv_app.te
index 109c86990f29c6fafd1a286639cc3f089662454f..9603180de32c8ce0ba3ea09302b6393ee9ad8bbb 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -108,6 +108,9 @@ allow priv_app preloads_media_file:dir r_dir_perms;
 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
 allow priv_app keystore:keystore_key gen_unique_id;
 
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
+
 read_runtime_log_tags(priv_app)
 
 ###
diff --git a/public/recovery.te b/public/recovery.te
index 6e211ac0ec997a60c95544d36f61f631b41d05e1..99d792cbe64abccac3d169d0be3d06593d0c67a8 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -75,6 +75,9 @@ recovery_only(`
   allow recovery functionfs:dir search;
   allow recovery functionfs:file rw_file_perms;
 
+  # Access to /sys/fs/selinux/policyvers for compatibility check
+  allow recovery selinuxfs:file r_file_perms;
+
   # Required to e.g. wipe userdata/cache.
   allow recovery device:dir r_dir_perms;
   allow recovery block_device:dir r_dir_perms;