diff --git a/app.te b/app.te
index 40ec6107939965c8b28c48b7816e2a4f87ea2cb3..bed6aff866942e5ca439ea46f359a0f4acae1e9f 100644
--- a/app.te
+++ b/app.te
@@ -155,6 +155,16 @@ allow appdomain apk_data_file:file { rx_file_perms execmod };
 allow appdomain resourcecache_data_file:file r_file_perms;
 allow appdomain resourcecache_data_file:dir r_dir_perms;
 
+# logd access
+read_logd(appdomain)
+control_logd(appdomain)
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+
+use_keystore({ appdomain -isolated_app })
+
 ###
 ### CTS-specific rules
 ###
@@ -171,16 +181,6 @@ selinux_check_context(appdomain)
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;
 
-# logd access
-read_logd(appdomain)
-control_logd(appdomain)
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
-
-use_keystore({ appdomain -isolated_app })
-
 ###
 ### Neverallow rules
 ###
diff --git a/keystore.te b/keystore.te
index 6a89df33a34f0a5e4e5c63c4369534e5b4822b21..3561fede7d247b0656eeb1d0f9868d1b13160a57 100644
--- a/keystore.te
+++ b/keystore.te
@@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;
 
+allow keystore keystore_service:service_manager { add find };
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
 ###
 ### Neverallow rules
 ###
@@ -25,8 +30,3 @@ neverallow { domain -keystore -init } keystore_data_file:dir *;
 neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
 
 neverallow domain keystore:process ptrace;
-
-allow keystore keystore_service:service_manager { add find };
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
diff --git a/untrusted_app.te b/untrusted_app.te
index e880571eb414545c1597bd18ccaabf26a1597a87..f645d6aa9ff232a3445aae67248078c888cd9108 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -138,6 +138,10 @@ auditallow untrusted_app {
     -wifip2p_service
 }:service_manager find;
 
+# Allow verifier to access staged apks.
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
 ###
 ### neverallow rules
 ###
@@ -162,7 +166,3 @@ neverallow untrusted_app service_manager_type:service_manager add;
 neverallow untrusted_app property_socket:sock_file write;
 neverallow untrusted_app init:unix_stream_socket connectto;
 neverallow untrusted_app property_type:property_service set;
-
-# Allow verifier to access staged apks.
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;