diff --git a/app.te b/app.te
index 9df1a083b1191ba1875e0fb87137e2532456dd6b..44cd266318599d9c042dc9ff40834d5aac8cc387 100644
--- a/app.te
+++ b/app.te
@@ -316,7 +316,7 @@ neverallow { appdomain -unconfineddomain }
 # Access to syslog(2) or /proc/kmsg.
 neverallow { appdomain -system_app }
     kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shelldomain }
+neverallow { appdomain -system_app -shell }
     kernel:system syslog_read;
 
 # Ability to perform any filesystem operation other than statfs(2).
diff --git a/attributes b/attributes
index 9d13a1b611036233d7530cae3c0b4493ba001a25..261500ffa3bdba49bcf4b02901cf760db328ee1b 100644
--- a/attributes
+++ b/attributes
@@ -50,9 +50,6 @@ attribute mlstrustedobject;
 # Domains that are allowed all permissions ("unconfined").
 attribute unconfineddomain;
 
-# All domains used for shells.
-attribute shelldomain;
-
 # All domains used for apps.
 attribute appdomain;
 
diff --git a/domain.te b/domain.te
index dbe232469904f902cb6ac5736a3577caaf96e6b6..c5db6bb468eb262308d3c18c004283067011f2a2 100644
--- a/domain.te
+++ b/domain.te
@@ -248,7 +248,7 @@ neverallow {
     domain
     -appdomain
     -dumpstate
-    -shelldomain
+    -shell
     userdebug_or_eng(`-su')
     -system_server
     -zygote
diff --git a/init_shell.te b/init_shell.te
index e1ca03a0ce195f58ea357c70d758d4bbefb17d22..d2e4d74fd90e62810bb8bafc478e690e3f5a46c7 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,8 +1,6 @@
 # Restricted domain for shell processes spawned by init.
 # Normally these are shell commands or scripts invoked via sh
 # from an init*.rc file.  No service should ever run in this domain.
-type init_shell, domain, shelldomain;
+type init_shell, domain;
 domain_auto_trans(init, shell_exec, init_shell)
-unconfined_domain(init_shell)
-
-# inherits from shelldomain.te
+permissive_or_unconfined(init_shell)
diff --git a/shell.te b/shell.te
index 50cc4f5236f26f23bad9221913f12f3406addbc8..6df9c852a88a153d58c089796c5a1915f0470a7e 100644
--- a/shell.te
+++ b/shell.te
@@ -1,5 +1,5 @@
 # Domain for shell processes spawned by ADB or console service.
-type shell, domain, shelldomain, mlstrustedsubject;
+type shell, domain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
 
 # Create and use network sockets.
@@ -17,4 +17,38 @@ control_logd(shell)
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;
 
-# inherits from shelldomain.te
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+
+# adb bugreport
+unix_socket_connect(shell, dumpstate, dumpstate)
+
+allow shell rootfs:dir r_dir_perms;
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:chr_file rw_file_perms;
+allow shell system_file:file x_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+
+r_dir_file(shell, apk_data_file)
+
+# Set properties.
+unix_socket_connect(shell, property, init)
+allow shell shell_prop:property_service set;
+allow shell ctl_dumpstate_prop:property_service set;
+allow shell debug_prop:property_service set;
+allow shell powerctl_prop:property_service set;
+
+# systrace support - allow atrace to run
+# debugfs doesn't support labeling individual files, so we have
+# to grant read access to all of /sys/kernel/debug.
+# Directory read access and file write access is already granted
+# in domain.te.
+allow shell debugfs:file r_file_perms;
+
+# allow shell to run dmesg
+allow shell kernel:system syslog_read;
diff --git a/shelldomain.te b/shelldomain.te
deleted file mode 100644
index 3dd0941f4bd580ba1f059bf0656d756ddb57b3bf..0000000000000000000000000000000000000000
--- a/shelldomain.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# Rules for all shell domains (e.g. console service and adb shell).
-
-# Access /data/local/tmp.
-allow shelldomain shell_data_file:dir create_dir_perms;
-allow shelldomain shell_data_file:file create_file_perms;
-allow shelldomain shell_data_file:file rx_file_perms;
-
-# adb bugreport
-unix_socket_connect(shelldomain, dumpstate, dumpstate)
-
-allow shelldomain rootfs:dir r_dir_perms;
-allow shelldomain devpts:chr_file rw_file_perms;
-allow shelldomain tty_device:chr_file rw_file_perms;
-allow shelldomain console_device:chr_file rw_file_perms;
-allow shelldomain input_device:chr_file rw_file_perms;
-allow shelldomain system_file:file x_file_perms;
-allow shelldomain shell_exec:file rx_file_perms;
-allow shelldomain zygote_exec:file rx_file_perms;
-
-r_dir_file(shelldomain, apk_data_file)
-
-# Set properties.
-unix_socket_connect(shelldomain, property, init)
-allow shelldomain shell_prop:property_service set;
-allow shelldomain ctl_dumpstate_prop:property_service set;
-allow shelldomain debug_prop:property_service set;
-allow shelldomain powerctl_prop:property_service set;
-
-# systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
-# to grant read access to all of /sys/kernel/debug.
-# Directory read access and file write access is already granted
-# in domain.te.
-allow shelldomain debugfs:file r_file_perms;
-
-# allow shell to run dmesg
-allow shelldomain kernel:system syslog_read;