diff --git a/private/coredomain.te b/private/coredomain.te
index 78ffb27df123287c9211abd8bc8f9cc0ed9d6c0b..56502472a8a06e25292d2dc56ea9f6d1c891f3b2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -169,13 +169,12 @@ full_treble_only(`
   }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
 ')
 
-# Audit coredomain access to /dev nodes that might no longer be needed after
-# Treble.
-userdebug_or_eng(`
-    auditallow coredomain {
-        audio_device
-        iio_device
-        radio_device
-        tee_device
-    }:chr_file { open read append write ioctl };
+# Following /dev nodes must not be directly accessed by coredomain after Treble,
+# but should instead be wrapped by HALs.
+full_treble_only(`
+  neverallow coredomain {
+    iio_device
+    radio_device
+    tee_device
+  }:chr_file { open read append write ioctl };
 ')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index c50faef31feb66d07123700c1a2b4a275476ac99..36e784f92f0aacf499c45288a027800dffff7f28 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -71,10 +71,6 @@ binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
 r_dir_file(surfaceflinger, dumpstate)
 
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-allow surfaceflinger tee_device:chr_file rw_file_perms;
-
 # media.player service
 
 # do not use add_service() as hal_graphics_composer_default may be the
diff --git a/private/system_server.te b/private/system_server.te
index 4cf8ae02bc3baf2bdc02d6929a2c0077bc2278fc..1466e6ccafcfebdafc9ccd812a8dc649ee6f1f5f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -326,10 +326,8 @@ allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server alarm_device:chr_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
-allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
@@ -338,7 +336,7 @@ allow system_server adbd_socket:sock_file rw_file_perms;
 allow system_server rtc_device:chr_file rw_file_perms;
 allow system_server audio_device:dir r_dir_perms;
 
-# write access needed for MIDI
+# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
 # tun device used for 3rd party vpn apps
diff --git a/public/drmserver.te b/public/drmserver.te
index 4a101478a982ef0b034571a522ad9341f3836caf..b7b641c18d69e11f8077d90cc79a3f63ee8358f7 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -20,7 +20,6 @@ binder_call(drmserver, mediaserver)
 allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
-allow drmserver tee_device:chr_file rw_file_perms;
 allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
 allow drmserver sdcard_type:file { read write getattr map };
 r_dir_file(drmserver, efs_file)
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 40c9a075bbee44a2003597b5164fdfe0a8bfa52c..e1739c2737300b78f0aab0261eeac6fad54d904d 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -7,7 +7,6 @@ binder_use(gatekeeperd)
 
 ### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
 ### These rules should eventually be granted only when needed.
-allow gatekeeperd tee_device:chr_file rw_file_perms;
 allow gatekeeperd ion_device:chr_file r_file_perms;
 # Load HAL implementation
 allow gatekeeperd system_file:dir r_dir_perms;