diff --git a/app.te b/app.te
index e292c0547e43b4bf2d48e4b8cefae34905a274df..6da0895a9ac33bc1b25e18e9dfad8ccd918fd40e 100644
--- a/app.te
+++ b/app.te
@@ -205,7 +205,8 @@ neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
-neverallow { appdomain -unconfineddomain } ~appdomain:process
+# Exception for the shell domain, can transition to runas, ping, etc.
+neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
     { transition dyntransition };
 
 # Map low memory.