diff --git a/device.te b/device.te
index 344027f8ab9692c36eb8e20337a055d50404d4c1..5f958e35050febd587239e74f4e3ee8bd3d3ab75 100644
--- a/device.te
+++ b/device.te
@@ -33,6 +33,7 @@ type random_device, dev_type;
 type sensors_device, dev_type;
 type serial_device, dev_type;
 type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
 type tty_device, dev_type;
 type urandom_device, dev_type;
 type video_device, dev_type;
diff --git a/domain.te b/domain.te
index 40bab7604854096a9b85ec12acf2714d4449a285..bf6fbb08f613733ab1fcc1162a91cc6acd7bbfdc 100644
--- a/domain.te
+++ b/domain.te
@@ -44,6 +44,7 @@ allow domain dev_type:lnk_file read;
 allow domain devpts:dir search;
 allow domain device:file read;
 allow domain socket_device:dir search;
+allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file r_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
diff --git a/file_contexts b/file_contexts
index 2f8c988fafc48b99326f5b61a68f2f0177c54fad..bf460ef34f9feeb18e8d038cf3a92c9a904161e9 100644
--- a/file_contexts
+++ b/file_contexts
@@ -101,6 +101,7 @@
 /dev/spdif_out.*	u:object_r:audio_device:s0
 /dev/tegra.*		u:object_r:video_device:s0
 /dev/tf_driver		u:object_r:tee_device:s0
+/dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
 /dev/tun		u:object_r:tun_device:s0
diff --git a/runas.te b/runas.te
index 0a207e6e1619d15e6fb2d1ea2640c41bdd886230..60b086d49b747723ca35f784a062fae47f9b6c51 100644
--- a/runas.te
+++ b/runas.te
@@ -19,15 +19,15 @@ dontaudit shell self:capability { sys_ptrace kill };
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
+allow runas adbd:process sigchld;
 allow runas shell:fd  use;
-allow runas devpts:chr_file { read write };
+allow runas devpts:chr_file { read write ioctl };
 
 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;
 
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
-allow runas self:capability dac_read_search;
 allow runas app_data_file:dir { getattr search };
 
 # run-as switches to the app UID/GID.
@@ -41,18 +41,15 @@ allow runas untrusted_app:process dyntransition; # setcon
 # run-as runs lib/gdbserver from the app data dir.
 allow untrusted_app system_data_file:file rx_file_perms;
 
-# run-as may also run sh or system commands.
-allow untrusted_app shell_exec:file rx_file_perms;
-allow untrusted_app system_file:file rx_file_perms;
-
 # gdbserver reads the zygote.
 allow untrusted_app zygote_exec:file r_file_perms;
 
 # (grand)child death notification.
 allow untrusted_app shell:process sigchld;
+allow untrusted_app adbd:process sigchld;
 
 # child shell or gdbserver pty access.
-allow untrusted_app devpts:chr_file { getattr read write };
+allow untrusted_app devpts:chr_file { getattr read write ioctl };
 
 # gdbserver creates a socket in the app data dir.
 allow untrusted_app app_data_file:sock_file { create unlink };