diff --git a/public/adbd.te b/public/adbd.te
index d60f8f16d904168a773d6181df13d5d142a2af32..f0df8b1583231c6884bd8a455665527b91e0102f 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -84,7 +84,7 @@ userdebug_or_eng(`
 # ndk-gdb invokes adb forward to forward the gdbserver socket.
 allow adbd { app_data_file ephemeral_data_file }:dir search;
 allow adbd { app_data_file ephemeral_data_file }:sock_file write;
-allow adbd { appdomain ephemeral_app }:unix_stream_socket connectto;
+allow adbd appdomain:unix_stream_socket connectto;
 
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
diff --git a/public/audioserver.te b/public/audioserver.te
index 9f390e704cd470e97be6ca147908e981f78c6bf9..676b04e321329dd841c730be128c1649503cec79 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -6,7 +6,7 @@ r_dir_file(audioserver, sdcard_type)
 
 binder_use(audioserver)
 binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, { appdomain ephemeral_app })
+binder_call(audioserver, appdomain)
 binder_service(audioserver)
 
 hwbinder_use(audioserver)
diff --git a/public/domain.te b/public/domain.te
index 9151fd3180eb868eaa493a15799e22e7d1a53d09..5c483848f92e495d1e459d55086e7930b346838b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -297,7 +297,6 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
 neverallow {
     domain
     -appdomain
-    -ephemeral_app
     -dumpstate
     -shell
     userdebug_or_eng(`-su')
diff --git a/public/drmserver.te b/public/drmserver.te
index 790b28337e159b2d379449d0b28434f8ff1198b6..ab42696d2dbc1b6ec79c6373c621f0eb0c2d7c00 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -9,7 +9,7 @@ net_domain(drmserver)
 # Perform Binder IPC to system server.
 binder_use(drmserver)
 binder_call(drmserver, system_server)
-binder_call(drmserver, { appdomain ephemeral_app })
+binder_call(drmserver, appdomain)
 binder_service(drmserver)
 # Inherit or receive open files from system_server.
 allow drmserver system_server:fd use;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index d64a4b45781053e543fa0620bdc6f674e7aaa2a8..a495211361c0edbeee2073e203d6a38127398b2e 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -49,7 +49,7 @@ allow dumpstate pstorefs:file r_file_perms;
 allow dumpstate domain:process getattr;
 
 # Signal java processes to dump their stack
-allow dumpstate { appdomain ephemeral_app system_server }:process signal;
+allow dumpstate { appdomain system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in dumpstate/utils.c
@@ -85,7 +85,7 @@ r_dir_file(dumpstate, cgroup)
 
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain ephemeral_app netd wificond })
+binder_call(dumpstate, { appdomain netd wificond })
 
 # Vibrate the device after we are done collecting the bugreport
 # For binderized mode:
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index f875935d94b8ff3214ba19464125be650c21026f..ee12ff134ebaa3cdd9a6cfaf867a504562849a4d 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -13,4 +13,4 @@ allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
 # Fences
 allow hal_graphics_composer system_server:fd use;
 allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer {appdomain ephemeral_app}:fd use;
+allow hal_graphics_composer appdomain:fd use;
diff --git a/public/lmkd.te b/public/lmkd.te
index e25a77fd62ae027c2ef8171a6409b0c6bfe8b035..f4e6c2d57091273592e66cabbcfa5f51bac20b32 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -14,8 +14,6 @@ allow lmkd self:capability ipc_lock;
 ## TODO: maybe scope this down?
 r_dir_file(lmkd, appdomain)
 allow lmkd appdomain:file write;
-r_dir_file(lmkd, ephemeral_app)
-allow lmkd ephemeral_app:file write;
 r_dir_file(lmkd, system_server)
 allow lmkd system_server:file write;
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 2acd6298aa4a8337e9dd465c17129928eadb4cd7..47a77389310b44a4b314ba4397aff1e8290184d1 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -22,7 +22,7 @@ userdebug_or_eng(`
 
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, { appdomain ephemeral_app })
+binder_call(mediaserver, appdomain)
 binder_service(mediaserver)
 
 allow mediaserver media_data_file:dir create_dir_perms;
@@ -48,7 +48,7 @@ allow mediaserver ringtone_file:file { read getattr };
 allow mediaserver radio_data_file:file { read getattr };
 
 # Use pipes passed over Binder from app domains.
-allow mediaserver { appdomain ephemeral_app }:fifo_file { getattr read write };
+allow mediaserver appdomain:fifo_file { getattr read write };
 
 allow mediaserver rpmsg_device:chr_file rw_file_perms;
 
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 699984f144b0b2329e322d9d1b68e534e6bb530d..2b1faec10f6db1390cd7c90aeed36b9b29ef0365 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -12,7 +12,7 @@ binder_call(surfaceflinger, hal_graphics_composer)
 # Perform Binder IPC.
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, { appdomain ephemeral_app })
+binder_call(surfaceflinger, appdomain)
 binder_call(surfaceflinger, bootanim)
 binder_service(surfaceflinger)
 
@@ -21,7 +21,7 @@ binder_call(surfaceflinger, adbd)
 
 # Read /proc/pid files for Binder clients.
 r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, { appdomain ephemeral_app })
+r_dir_file(surfaceflinger, appdomain)
 
 # Access the GPU.
 allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -42,7 +42,7 @@ set_prop(surfaceflinger, system_prop)
 set_prop(surfaceflinger, ctl_bootanim_prop)
 
 # Use open files supplied by an app.
-allow surfaceflinger { appdomain ephemeral_app }:fd use;
+allow surfaceflinger appdomain:fd use;
 allow surfaceflinger app_data_file:file { read write };
 
 # Allow a dumpstate triggered screenshot
diff --git a/public/system_server.te b/public/system_server.te
index 6c59e550436af93452a1d7d42d84951f4db4265e..207add7ae36b8b988b7e282617bb6f0a4c9603d1 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -87,10 +87,10 @@ allow system_server self:socket create_socket_perms_no_ioctl;
 allow system_server self:netlink_route_socket nlmsg_write;
 
 # Kill apps.
-allow system_server { appdomain ephemeral_app }:process { sigkill signal };
+allow system_server appdomain:process { sigkill signal };
 
 # Set scheduling info for apps.
-allow system_server { appdomain ephemeral_app }:process { getsched setsched };
+allow system_server appdomain:process { getsched setsched };
 allow system_server audioserver:process { getsched setsched };
 allow system_server hal_audio:process { getsched setsched };
 allow system_server cameraserver:process { getsched setsched };
@@ -151,7 +151,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 
 # Perform Binder IPC.
 binder_use(system_server)
-binder_call(system_server, { appdomain ephemeral_app })
+binder_call(system_server, appdomain)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
@@ -428,8 +428,8 @@ allow system_server system_file:lnk_file r_file_perms;
 allow system_server gps_control:file rw_file_perms;
 
 # Allow system_server to use app-created sockets and pipes.
-allow system_server { appdomain ephemeral_app }:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server { appdomain ephemeral_app }:{ fifo_file unix_stream_socket } { getattr read write };
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
 
 # Allow abstract socket connection
 allow system_server rild:unix_stream_socket connectto;
diff --git a/public/zygote.te b/public/zygote.te
index 385be94a3477675804dac2d20a5e2d696a3196e7..594ac5795c055b992a6893b513c53b7ce2baae3a 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -13,15 +13,15 @@ allow zygote self:capability setpcap;
 # Switch SELinux context to app domains.
 allow zygote self:process setcurrent;
 allow zygote system_server:process dyntransition;
-allow zygote { appdomain ephemeral_app }:process dyntransition;
+allow zygote appdomain:process dyntransition;
 
 # Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote { appdomain ephemeral_app }:dir { getattr search };
-allow zygote { appdomain ephemeral_app }:file { r_file_perms };
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
 
 # Move children into the peer process group.
 allow zygote system_server:process { getpgid setpgid };
-allow zygote { appdomain ephemeral_app }:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
 
 # Read system data.
 allow zygote system_data_file:dir r_dir_perms;
@@ -116,7 +116,7 @@ get_prop(zygote, overlay_prop)
 # This is achieved by ensuring that it is impossible for zygote to
 # setcon (dyntransition) to any types other than those associated
 # with appdomain plus system_server.
-neverallow zygote ~{ appdomain ephemeral_app system_server }:process dyntransition;
+neverallow zygote ~{ appdomain system_server }:process dyntransition;
 
 # Zygote should never execute anything from /data except for /data/dalvik-cache files.
 neverallow zygote {