diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index cd8b8134b09c2bac4a1221b76b11c5ededf2507a..7906421846309d25f4bd7e01839d0b9ead0e65ba 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -4,6 +4,7 @@
 (type commontime_management_service)
 (type full_device)
 (type i2c_device)
+(type kmem_device)
 (type mediacodec)
 (type mediacodec_exec)
 (type mtd_device)
diff --git a/private/file_contexts b/private/file_contexts
index 282120ca21b094639e4d73fde1e6903c553138e7..9ef18e2c3e3f69a51eb6d85649aa69d28ef30c89 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -98,9 +98,7 @@
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0
 /dev/keychord   u:object_r:keychord_device:s0
-/dev/kmem		u:object_r:kmem_device:s0
 /dev/loop-control	u:object_r:loop_control_device:s0
-/dev/mem		u:object_r:kmem_device:s0
 /dev/modem.*		u:object_r:radio_device:s0
 /dev/mtp_usb		u:object_r:mtp_device:s0
 /dev/pmsg0		u:object_r:pmsg_device:s0
diff --git a/public/device.te b/public/device.te
index 36a060b727d805e78ee9add4cb7352669e0770b2..a4f7f01fe82400a1ed5e10f4cfb8e705d96ddbeb 100644
--- a/public/device.te
+++ b/public/device.te
@@ -25,7 +25,6 @@ type gpu_device, dev_type, mlstrustedobject;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
-type kmem_device, dev_type;
 type port_device, dev_type;
 type lowpan_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 0a47bc6d6eb48f88c7e8bb8364e88099463ed01a..0843a222fd311bc41c882cce88a550af249ec159 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,14 +434,6 @@ neverallow {
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
-# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow {
-  domain
-  -shell # For CTS and is restricted to getattr in shell.te
-  -ueventd # Further restricted in ueventd.te
-} kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
-
 #Ensure that nothing in userspace can access /dev/port
 neverallow {
   domain
diff --git a/public/init.te b/public/init.te
index c2938ad1589c5b8170f9492044144823a6d8df38..c06e538536d072d115c8d03a191dea53a30f33bd 100644
--- a/public/init.te
+++ b/public/init.te
@@ -275,7 +275,6 @@ allow init {
 allow init {
   dev_type
   -keychord_device
-  -kmem_device
   -port_device
 }:chr_file setattr;
 
diff --git a/public/shell.te b/public/shell.te
index cef1b0a355cc1e9dda03b6ffc1cc493818740af5..26f44f6f41d8a677396f529abc04eb8e4c775dc6 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -229,7 +229,6 @@ neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_s
 neverallow shell {
   fuse_device
   hw_random_device
-  kmem_device
   port_device
 }:chr_file ~getattr;
 
diff --git a/public/ueventd.te b/public/ueventd.te
index 0863302dd6ed5a46d37480ede98f5c187db23ac5..cc4e30bf5997a539cd30ed2d56301b3f7d64ff2a 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -68,8 +68,8 @@ neverallow ueventd property_type:property_service set;
 # Restrict ueventd access on block devices to maintenence operations.
 neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
 
-# Only relabelto as we would never want to relabelfrom kmem_device or port_device
-neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
+# Only relabelto as we would never want to relabelfrom port_device
+neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
 
 # Nobody should be able to ptrace ueventd
 neverallow * ueventd:process ptrace;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 2b9c733d9e4d0c92153d315543bc141ecffb3e4c..5ecd2a1031718acbe7721a8b3531687bc871636f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -129,7 +129,6 @@ allow vendor_init {
 allow vendor_init {
   dev_type
   -keychord_device
-  -kmem_device
   -port_device
   -lowpan_device
   -hw_random_device