diff --git a/app.te b/app.te
index dbe3dc2b3a2923e8a7062855b1d395a86f176458..51fbe439f865d0fa87220a744f2e835b9634ffb8 100644
--- a/app.te
+++ b/app.te
@@ -322,8 +322,8 @@ neverallow appdomain
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Access to factory files.
-neverallow appdomain
-    efs_file:dir_file_class_set { read write };
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
 
 # Write to various pseudo file systems.
 neverallow { appdomain -bluetooth -nfc }