diff --git a/public/app.te b/public/app.te
index 6cb3382cc322c600cb6334649f2a48a8b4041341..7f51574b3d181c81405bf22030ff7331bf41dfd8 100644
--- a/public/app.te
+++ b/public/app.te
@@ -425,10 +425,7 @@ neverallow appdomain
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app }
-    kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shell }
-    kernel:system syslog_read;
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
diff --git a/public/shell.te b/public/shell.te
index 0e747b73fb2133f568332adaa2e2ad94b074af66..b00c9efd4f18ac8292a1a5fe16b1c2984fc5aedb 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,9 +85,6 @@ userdebug_or_eng(`
   set_prop(shell, persist_debug_prop)
 ')
 
-# allow shell to run dmesg
-allow shell kernel:system syslog_read;
-
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service