diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 01daaf90956ce04c94a1e4ccd4aa27d08bccbba7..439c1f80f8460e5526c9f704f21446936456252f 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
diff --git a/public/app.te b/public/app.te
index 01daaf90956ce04c94a1e4ccd4aa27d08bccbba7..439c1f80f8460e5526c9f704f21446936456252f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system