diff --git a/public/domain.te b/public/domain.te
index 2bf0be312312b8657467815f0700c7b7eb1b38d7..af4d03e35aadeb3d79a5a1a4828336e28c3e2bb8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -383,6 +383,7 @@ neverallow {
   -init
   -mediadrmserver
   -recovery
+  -shell
   -system_server
 } serialno_prop:file r_file_perms;
 
diff --git a/public/shell.te b/public/shell.te
index 2fe0fc741f6869662cfde0227ca8d3edd6d4dc0a..5f7af0b48f7a364fcb322edbf7dce1da2f00a9b0 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -72,6 +72,9 @@ userdebug_or_eng(`
   set_prop(shell, persist_debug_prop)
 ')
 
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service