diff --git a/init.te b/init.te
index 8cdc3bcb59788d2d8d92cb811b4b917b5c0fd9b8..8421fa3d6316306d9e8b687548cb25abaf27ec74 100644
--- a/init.te
+++ b/init.te
@@ -54,6 +54,10 @@ allow init watchdogd:process transition;
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };
 
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
 # Use setexeccon(), setfscreatecon(), and setsockcreatecon().
 # setexec is for services with seclabel options.
 # setfscreate is for labeling directories and socket files.
diff --git a/unconfined.te b/unconfined.te
index 123d16f953d89a6bfd986112ebcc87badc8bc23e..4dc30dbf426335b57baffa9bc898b83399b2b886 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -49,13 +49,29 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {
+    file_type
+    -keystore_data_file
+    -property_data_file
+    -system_file
+    -exec_type
+    -security_file
+    -shell_data_file
+}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;