diff --git a/app.te b/app.te
index 8318b16210fd9f0533c64819081fa67d8916e552..296a536470c6b49acdad9778fab68c9ea15b71c2 100644
--- a/app.te
+++ b/app.te
@@ -318,7 +318,9 @@ neverallow { appdomain -unconfineddomain }
 
 # Access to syslog(2) or /proc/kmsg.
 neverallow { appdomain -system_app -unconfineddomain }
-    kernel:system { syslog_read syslog_mod syslog_console };
+    kernel:system { syslog_mod syslog_console };
+neverallow { appdomain -system_app -unconfineddomain -shelldomain }
+    kernel:system syslog_read;
 
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
diff --git a/shelldomain.te b/shelldomain.te
index 0a8642656eadc306ebc9f24997c5d205b86d41f1..3dd0941f4bd580ba1f059bf0656d756ddb57b3bf 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -32,3 +32,6 @@ allow shelldomain powerctl_prop:property_service set;
 # Directory read access and file write access is already granted
 # in domain.te.
 allow shelldomain debugfs:file r_file_perms;
+
+# allow shell to run dmesg
+allow shelldomain kernel:system syslog_read;