diff --git a/app.te b/app.te
index 1fb53e68ea4a325be5842e8ce8fe8b3686605adc..2a6b270b6b404136bfc201e54f863a7cd9965f2c 100644
--- a/app.te
+++ b/app.te
@@ -316,8 +316,8 @@ neverallow appdomain
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Access to factory files.
-neverallow appdomain
-    efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
 
 # Write to various pseudo file systems.
 neverallow { appdomain -bluetooth -nfc }