diff --git a/app.te b/app.te
index 8d2fa4190ad8615c1b50af5cfc4fd7f54961dd02..70975d9fb2b3c0768280a86cb220b76c9bf1713f 100644
--- a/app.te
+++ b/app.te
@@ -234,6 +234,12 @@ auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
 
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
 ###
 ### Neverallow rules
 ###
diff --git a/shell.te b/shell.te
index 02c1745587ee01422daa922b31c861a836ef56a8..8076d460bd14b633812cdac6cc27de6844ebae2c 100644
--- a/shell.te
+++ b/shell.te
@@ -21,10 +21,6 @@ userdebug_or_eng(`
   allow shell misc_logd_file:file r_file_perms;
 ')
 
-# interact with adb
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { read write ioctl getattr };
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;